diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 00f840e..0000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,7 +0,0 @@ -version: 2.1 -orbs: - node: circleci/node@5.1.0 -workflows: - node-tests: - jobs: - - node/test diff --git a/.deepsource.toml b/.deepsource.toml deleted file mode 100644 index 3aa065a..0000000 --- a/.deepsource.toml +++ /dev/null @@ -1,41 +0,0 @@ -version = 1 - -[[analyzers]] -name = "python" -enabled = true - - [analyzers.meta] - runtime_version = "3.x.x" - -[[analyzers]] -name = "test-coverage" -enabled = true - -[[analyzers]] -name = "docker" -enabled = true - -[[analyzers]] -name = "javascript" -enabled = true - - [analyzers.meta] - plugins = [ - "react", - "meteor", - "vue", - "angularjs", - "ember", - "angular" - ] - -[[analyzers]] -name = "shell" -enabled = true - -[[analyzers]] -name = "java" -enabled = true - - [analyzers.meta] - runtime_version = "14" diff --git a/.github/workflows/alibabacloud.yml b/.github/workflows/alibabacloud.yml index 872de3a..a5f1add 100644 --- a/.github/workflows/alibabacloud.yml +++ b/.github/workflows/alibabacloud.yml @@ -1,123 +1,123 @@ -# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), -# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the master branch. -# -# To use this workflow, you will need to complete the following set-up steps: -# -# 1. Create an ACR repository to store your container images. -# You can use ACR EE instance for more security and better performance. -# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm -# -# 2. Create an ACK cluster to run your containerized application. -# You can use ACK Pro cluster for more security and better performance. -# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm -# -# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. -# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ -# -# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. -# - -name: Build and Deploy to ACK - -on: - push: - branches: - - master - -# Environment variables available to all jobs and steps in this workflow. -env: - REGION_ID: cn-hangzhou - REGISTRY: registry.cn-hangzhou.aliyuncs.com - NAMESPACE: namespace - IMAGE: repo - TAG: ${{ github.sha }} - ACK_CLUSTER_ID: clusterID - ACK_DEPLOYMENT_NAME: nginx-deployment - - ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com - ACR_EE_INSTANCE_ID: instanceID - ACR_EE_NAMESPACE: namespace - ACR_EE_IMAGE: repo - ACR_EE_TAG: ${{ github.sha }} - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v3 - - # 1.1 Login to ACR - - name: Login to ACR with the AccessKey pair - uses: aliyun/acr-login@v1 - with: - region-id: "${{ env.REGION_ID }}" - access-key-id: "${{ secrets.ACCESS_KEY_ID }}" - access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - - # 1.2 Buid and push image to ACR - - name: Build and push image to ACR - run: | - docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . - docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" - - # 1.3 Scan image in ACR - - name: Scan image in ACR - uses: aliyun/acr-scan@v1 - with: - region-id: "${{ env.REGION_ID }}" - access-key-id: "${{ secrets.ACCESS_KEY_ID }}" - access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" - tag: "${{ env.TAG }}" - - # 2.1 (Optional) Login to ACR EE - - uses: actions/checkout@v3 - - name: Login to ACR EE with the AccessKey pair - uses: aliyun/acr-login@v1 - with: - login-server: "https://${{ env.ACR_EE_REGISTRY }}" - region-id: "${{ env.REGION_ID }}" - access-key-id: "${{ secrets.ACCESS_KEY_ID }}" - access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" - - # 2.2 (Optional) Build and push image ACR EE - - name: Build and push image to ACR EE - run: | - docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . - docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" - # 2.3 (Optional) Scan image in ACR EE - - name: Scan image in ACR EE - uses: aliyun/acr-scan@v1 - with: - region-id: "${{ env.REGION_ID }}" - access-key-id: "${{ secrets.ACCESS_KEY_ID }}" - access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" - repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" - tag: "${{ env.ACR_EE_TAG }}" - - # 3.1 Set ACK context - - name: Set K8s context - uses: aliyun/ack-set-context@v1 - with: - access-key-id: "${{ secrets.ACCESS_KEY_ID }}" - access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" - cluster-id: "${{ env.ACK_CLUSTER_ID }}" - - # 3.2 Deploy the image to the ACK cluster - - name: Set up Kustomize - run: |- - curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6 - - name: Deploy - run: |- - ./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME - kubectl get services -o wide +# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the master branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ACR repository to store your container images. +# You can use ACR EE instance for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm +# +# 2. Create an ACK cluster to run your containerized application. +# You can use ACK Pro cluster for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm +# +# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. +# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ +# +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# + +name: Build and Deploy to ACK + +on: + push: + branches: + - master + +# Environment variables available to all jobs and steps in this workflow. +env: + REGION_ID: cn-hangzhou + REGISTRY: registry.cn-hangzhou.aliyuncs.com + NAMESPACE: namespace + IMAGE: repo + TAG: ${{ github.sha }} + ACK_CLUSTER_ID: clusterID + ACK_DEPLOYMENT_NAME: nginx-deployment + + ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com + ACR_EE_INSTANCE_ID: instanceID + ACR_EE_NAMESPACE: namespace + ACR_EE_IMAGE: repo + ACR_EE_TAG: ${{ github.sha }} + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v3 + + # 1.1 Login to ACR + - name: Login to ACR with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + + # 1.2 Buid and push image to ACR + - name: Build and push image to ACR + run: | + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR + - name: Scan image in ACR + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" + tag: "${{ env.TAG }}" + + # 2.1 (Optional) Login to ACR EE + - uses: actions/checkout@v3 + - name: Login to ACR EE with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + login-server: "https://${{ env.ACR_EE_REGISTRY }}" + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE + run: | + docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . + docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" + # 2.3 (Optional) Scan image in ACR EE + - name: Scan image in ACR EE + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" + tag: "${{ env.ACR_EE_TAG }}" + + # 3.1 Set ACK context + - name: Set K8s context + uses: aliyun/ack-set-context@v1 + with: + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + cluster-id: "${{ env.ACK_CLUSTER_ID }}" + + # 3.2 Deploy the image to the ACK cluster + - name: Set up Kustomize + run: |- + curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6 + - name: Deploy + run: |- + ./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml index 878adc4..a16cd59 100644 --- a/.github/workflows/anchore.yml +++ b/.github/workflows/anchore.yml @@ -1,45 +1,45 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow checks out code, builds an image, performs a container image -# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security -# code scanning feature. For more information on the Anchore scan action usage -# and parameters, see https://github.com/anchore/scan-action. For more -# information on Anchore's container image scanning tool Grype, see -# https://github.com/anchore/grype -name: Anchore Container Scan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '22 9 * * 2' - -permissions: - contents: read - -jobs: - Anchore-Build-Scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v3 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@487706fd9fc531f35bd6fc1edcdbae6bb79870fa - with: - image: "localbuild/testimage:latest" - acs-report-enable: true - - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '22 9 * * 2' + +permissions: + contents: read + +jobs: + Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled + uses: anchore/scan-action@487706fd9fc531f35bd6fc1edcdbae6bb79870fa + with: + image: "localbuild/testimage:latest" + acs-report-enable: true + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/apisec-scan.yml b/.github/workflows/apisec-scan.yml index 5d2d47b..d38090a 100644 --- a/.github/workflows/apisec-scan.yml +++ b/.github/workflows/apisec-scan.yml @@ -1,69 +1,69 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# APIsec addresses the critical need to secure APIs before they reach production. -# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. -# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. - -# How to Get Started with APIsec.ai -# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . -# -# 2. Register your account at https://cloud.fxlabs.io/#/signup . -# -# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. -# -# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions -# -# apisec-run-scan -# -# This action triggers the on-demand scans for projects registered in APIsec. -# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. -# Else you can view the scan results from the project home page in APIsec Platform. -# The link to view the scan results is also displayed on the console on successful completion of action. - -# This is a starter workflow to help you get started with APIsec-Scan Actions - -name: APIsec - -# Controls when the workflow will run -on: - # Triggers the workflow on push or pull request events but only for the master branch - # Customize trigger events based on your DevSecOps processes. - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '32 17 * * 5' - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - - -permissions: - contents: read - -jobs: - Trigger APIsec scan: - permissions: - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - - steps: - - name: APIsec scan - uses: apisec-inc/apisec-run-scan@eadaedebb5b8516971299b64cea226dc9d9edb6c - with: - # The APIsec username with which the scans will be executed - apisec-username: ${{ secrets.apisec_username }} - # The Password of the APIsec user with which the scans will be executed - apisec-password: ${{ secrets.apisec_password}} - # The name of the project for security scan - apisec-project: "VAmPI" - # The name of the sarif format result file The file is written only if this property is provided. - sarif-result-file: "apisec-results.sarif" - - name: Import results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./apisec-results.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.fxlabs.io/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the master branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '32 17 * * 5' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +permissions: + contents: read + +jobs: + Trigger APIsec scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@eadaedebb5b8516971299b64cea226dc9d9edb6c + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + - name: Import results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./apisec-results.sarif diff --git a/.github/workflows/aws.yml b/.github/workflows/aws.yml index a6d3a8c..1253332 100644 --- a/.github/workflows/aws.yml +++ b/.github/workflows/aws.yml @@ -1,95 +1,95 @@ -# This workflow will build and push a new container image to Amazon ECR, -# and then will deploy a new task definition to Amazon ECS, when there is a push to the master branch. -# -# To use this workflow, you will need to complete the following set-up steps: -# -# 1. Create an ECR repository to store your images. -# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. -# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. -# -# 2. Create an ECS task definition, an ECS cluster, and an ECS service. -# For example, follow the Getting Started guide on the ECS console: -# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. -# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. -# -# 3. Store your ECS task definition as a JSON file in your repository. -# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. -# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container -# in the `containerDefinitions` section of the task definition. -# -# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. -# See the documentation for each action used below for the recommended IAM policies for this IAM user, -# and best practices on handling the access key credentials. - -name: Deploy to Amazon ECS - -on: - push: - branches: - - master - -env: - AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 - ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name - ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name - ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name - ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition - # file, e.g. .aws/task-definition.json - CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the - # containerDefinitions section of your task definition - -permissions: - contents: read - -jobs: - deploy: - name: Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ env.AWS_REGION }} - - - name: Login to Amazon ECR - id: login-ecr - uses: aws-actions/amazon-ecr-login@v1 - - - name: Build, tag, and push image to Amazon ECR - id: build-image - env: - ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - IMAGE_TAG: ${{ github.sha }} - run: | - # Build a docker container and - # push it to ECR so that it can - # be deployed to ECS. - docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . - docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG - echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" - - - name: Fill in the new image ID in the Amazon ECS task definition - id: task-def - uses: aws-actions/amazon-ecs-render-task-definition@v1 - with: - task-definition: ${{ env.ECS_TASK_DEFINITION }} - container-name: ${{ env.CONTAINER_NAME }} - image: ${{ steps.build-image.outputs.image }} - - - name: Deploy Amazon ECS task definition - uses: aws-actions/amazon-ecs-deploy-task-definition@v1 - with: - task-definition: ${{ steps.task-def.outputs.task-definition }} - service: ${{ env.ECS_SERVICE }} - cluster: ${{ env.ECS_CLUSTER }} - wait-for-service-stability: true +# This workflow will build and push a new container image to Amazon ECR, +# and then will deploy a new task definition to Amazon ECS, when there is a push to the master branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ECR repository to store your images. +# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. +# +# 2. Create an ECS task definition, an ECS cluster, and an ECS service. +# For example, follow the Getting Started guide on the ECS console: +# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. +# +# 3. Store your ECS task definition as a JSON file in your repository. +# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container +# in the `containerDefinitions` section of the task definition. +# +# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +# See the documentation for each action used below for the recommended IAM policies for this IAM user, +# and best practices on handling the access key credentials. + +name: Deploy to Amazon ECS + +on: + push: + branches: + - master + +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + +permissions: + contents: read + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + # Build a docker container and + # push it to ECR so that it can + # be deployed to ECS. + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.build-image.outputs.image }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true diff --git a/.github/workflows/azure-container-webapp.yml b/.github/workflows/azure-container-webapp.yml index b2a2e5d..ba599e4 100644 --- a/.github/workflows/azure-container-webapp.yml +++ b/.github/workflows/azure-container-webapp.yml @@ -1,87 +1,87 @@ -# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux -# -# To configure this workflow: -# -# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. -# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials -# -# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. -# -# 4. Create three app settings on your Azure Web app: -# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" -# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository -# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step -# -# 5. Change the value for the AZURE_WEBAPP_NAME. -# -# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions -# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples - -name: Build and deploy a container to an Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - -on: - push: - branches: - - master - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - - name: Log in to GitHub container registry - uses: docker/login-action@v2.2.0 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ github.token }} - - - name: Lowercase the repo name and username - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Build and push container image to registry - uses: docker/build-push-action@v4 - with: - push: true - tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} - file: ./Dockerfile - - deploy: - permissions: - contents: none - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Lowercase the repo name and username - run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' +# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# +# 4. Create three app settings on your Azure Web app: +# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" +# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository +# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step +# +# 5. Change the value for the AZURE_WEBAPP_NAME. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + +on: + push: + branches: + - master + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + + - name: Log in to GitHub container registry + uses: docker/login-action@v2.2.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@v4 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' diff --git a/.github/workflows/azure-kubernetes-service-helm.yml b/.github/workflows/azure-kubernetes-service-helm.yml index 3914e51..6480383 100644 --- a/.github/workflows/azure-kubernetes-service-helm.yml +++ b/.github/workflows/azure-kubernetes-service-helm.yml @@ -1,162 +1,162 @@ -# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code -# -# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see: -# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# - https://github.com/Azure/aks-create-action -# -# To configure this workflow: -# -# 1. Set the following secrets in your repository (instructions for getting these -# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): -# - AZURE_CLIENT_ID -# - AZURE_TENANT_ID -# - AZURE_SUBSCRIPTION_ID -# -# 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - RESOURCE_GROUP (where your cluster is deployed) -# - CLUSTER_NAME (name of your AKS cluster) -# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) -# -# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. -# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. -# - CHART_PATH (path to your helm chart) -# - CHART_OVERRIDE_PATH (path to your helm chart with override values) -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please refer to https://github.com/Azure/login - -name: Build and deploy an app to AKS with Helm - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" - CONTAINER_NAME: "your-container-name" - RESOURCE_GROUP: "your-resource-group" - CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - CHART_PATH: "your-chart-path" - CHART_OVERRIDE_PATH: "your-chart-override-path" - -jobs: - buildImage: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v4.0 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - - deploy: - permissions: - actions: read - contents: read - id-token: write - runs-on: ubuntu-latest - needs: [buildImage, createSecret] - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Runs Helm to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.4 - with: - renderEngine: 'helm' - helmChart: ${{ env.CHART_PATH }} - overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} - overrides: | - replicas:2 - helm-version: 'latest' - id: bake - - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v4.9 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux)): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Helm. +# Set your helmChart, overrideFiles, overrides, and helm-version to suit your configuration. +# - CHART_PATH (path to your helm chart) +# - CHART_OVERRIDE_PATH (path to your helm chart with override values) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Helm + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + CHART_PATH: "your-chart-path" + CHART_OVERRIDE_PATH: "your-chart-override-path" + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" + echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v4.0 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Runs Helm to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.4 + with: + renderEngine: 'helm' + helmChart: ${{ env.CHART_PATH }} + overrideFiles: ${{ env.CHART_OVERRIDE_PATH }} + overrides: | + replicas:2 + helm-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4.9 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/.github/workflows/azure-kubernetes-service-kompose.yml b/.github/workflows/azure-kubernetes-service-kompose.yml index 73a95de..bcafc42 100644 --- a/.github/workflows/azure-kubernetes-service-kompose.yml +++ b/.github/workflows/azure-kubernetes-service-kompose.yml @@ -1,157 +1,157 @@ -# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code -# -# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see: -# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# - https://github.com/Azure/aks-create-action -# -# To configure this workflow: -# -# 1. Set the following secrets in your repository (instructions for getting these -# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): -# - AZURE_CLIENT_ID -# - AZURE_TENANT_ID -# - AZURE_SUBSCRIPTION_ID -# -# 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - RESOURCE_GROUP (where your cluster is deployed) -# - CLUSTER_NAME (name of your AKS cluster) -# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) -# -# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. -# Set your dockerComposeFile and kompose-version to suit your configuration. -# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please refer to https://github.com/Azure/login - -name: Build and deploy an app to AKS with Kompose - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" - CONTAINER_NAME: "your-container-name" - RESOURCE_GROUP: "your-resource-group" - CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" - -jobs: - buildImage: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v4.0 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - - deploy: - permissions: - actions: read - contents: read - id-token: write - runs-on: ubuntu-latest - needs: [buildImage, createSecret] - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Runs Kompose to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.4 - with: - renderEngine: 'kompose' - dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} - kompose-version: 'latest' - id: bake - - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v4.9 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" + echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v4.0 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.4 + with: + renderEngine: 'kompose' + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: 'latest' + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4.9 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/.github/workflows/azure-kubernetes-service-kustomize.yml b/.github/workflows/azure-kubernetes-service-kustomize.yml index 936bc31..f5dc5cc 100644 --- a/.github/workflows/azure-kubernetes-service-kustomize.yml +++ b/.github/workflows/azure-kubernetes-service-kustomize.yml @@ -1,157 +1,157 @@ -# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code -# -# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see: -# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# - https://github.com/Azure/aks-create-action -# -# To configure this workflow: -# -# 1. Set the following secrets in your repository (instructions for getting these -# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): -# - AZURE_CLIENT_ID -# - AZURE_TENANT_ID -# - AZURE_SUBSCRIPTION_ID -# -# 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - RESOURCE_GROUP (where your cluster is deployed) -# - CLUSTER_NAME (name of your AKS cluster) -# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) -# -# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. -# Set your kustomizationPath and kubectl-version to suit your configuration. -# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please refer to https://github.com/Azure/login - -name: Build and deploy an app to AKS with Kustomize - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" - CONTAINER_NAME: "your-container-name" - RESOURCE_GROUP: "your-resource-group" - CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - KUSTOMIZE_PATH: "your-kustomize-path" - -jobs: - buildImage: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v4.0 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - - deploy: - permissions: - actions: read - contents: read - id-token: write - runs-on: ubuntu-latest - needs: [buildImage, createSecret] - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Runs Kustomize to create manifest files - - name: Bake deployment - uses: azure/k8s-bake@v2.4 - with: - renderEngine: 'kustomize' - kustomizationPath: ${{ env.KUSTOMIZE_PATH }} - kubectl-version: latest - id: bake - - # Deploys application based on manifest files from previous step - - name: Deploy application - uses: Azure/k8s-deploy@v4.9 - with: - action: deploy - manifests: ${{ steps.bake.outputs.manifestsBundle }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" + echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v4.0 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2.4 + with: + renderEngine: 'kustomize' + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4.9 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/.github/workflows/azure-kubernetes-service.yml b/.github/workflows/azure-kubernetes-service.yml index 7e12308..a7fe806 100644 --- a/.github/workflows/azure-kubernetes-service.yml +++ b/.github/workflows/azure-kubernetes-service.yml @@ -1,144 +1,144 @@ -# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code -# -# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see: -# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# - https://github.com/Azure/aks-create-action -# -# To configure this workflow: -# -# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): -# - AZURE_CLIENT_ID -# - AZURE_TENANT_ID -# - AZURE_SUBSCRIPTION_ID -# -# 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) -# - RESOURCE_GROUP (where your cluster is deployed) -# - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) -# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please refer to https://github.com/Azure/login - -name: Build and deploy an app to AKS - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" - CONTAINER_NAME: "your-container-name" - RESOURCE_GROUP: "your-resource-group" - CLUSTER_NAME: "your-cluster-name" - IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" - DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' - -jobs: - buildImage: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v4.0 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - - deploy: - permissions: - actions: read - contents: read - id-token: write - runs-on: ubuntu-latest - needs: [buildImage, createSecret] - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.7 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v3.2 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Deploys application based on given manifest file - - name: Deploys application - uses: Azure/k8s-deploy@v4.9 - with: - action: deploy - manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + IMAGE_PULL_SECRET_NAME: "your-image-pull-secret-name" + DEPLOYMENT_MANIFEST_PATH: 'your-deployment-manifest-path' + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + createSecret: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Retrieves the credentials for pulling images from your Azure Container Registry + - name: Get ACR credentials + run: | + az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true + ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) + ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) + echo "::add-mask::${ACR_USERNAME}" + echo "::set-output name=username::${ACR_USERNAME}" + echo "::add-mask::${ACR_PASSWORD}" + echo "::set-output name=password::${ACR_PASSWORD}" + id: get-acr-creds + + # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step + - name: Create K8s secret for pulling image from ACR + uses: Azure/k8s-create-secret@v4.0 + with: + container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io + container-registry-username: ${{ steps.get-acr-creds.outputs.username }} + container-registry-password: ${{ steps.get-acr-creds.outputs.password }} + secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage, createSecret] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v3 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.7 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3.2 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + + # Deploys application based on given manifest file + - name: Deploys application + uses: Azure/k8s-deploy@v4.9 + with: + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} + imagepullsecrets: | + ${{ env.IMAGE_PULL_SECRET_NAME }} diff --git a/.github/workflows/azure-staticwebapp.yml b/.github/workflows/azure-staticwebapp.yml index 8f95868..b7c064b 100644 --- a/.github/workflows/azure-staticwebapp.yml +++ b/.github/workflows/azure-staticwebapp.yml @@ -1,72 +1,72 @@ -# This workflow will build and push a web application to an Azure Static Web App when you change your code. -# -# This workflow assumes you have already created the target Azure Static Web App. -# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript -# -# To configure this workflow: -# -# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token. -# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management -# -# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below). -# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks -name: Deploy web app to Azure Static Web Apps - -on: - push: - branches: - - master - pull_request: - types: [opened, synchronize, reopened, closed] - branches: - - master - -# Environment variables available to all jobs and steps in this workflow -env: - APP_LOCATION: "/" # location of your client code - API_LOCATION: "api" # location of your api source code - optional - APP_ARTIFACT_LOCATION: "build" # location of client code build output - AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app - -permissions: - contents: read - -jobs: - build_and_deploy_job: - permissions: - contents: read # for actions/checkout to fetch code - pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs - if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') - runs-on: ubuntu-latest - name: Build and Deploy Job - steps: - - uses: actions/checkout@v3 - with: - submodules: true - - name: Build And Deploy - id: builddeploy - uses: Azure/static-web-apps-deploy@v1 - with: - azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app - repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) - action: "upload" - ###### Repository/Build Configurations - These values can be configured to match you app requirements. ###### - # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig - app_location: ${{ env.APP_LOCATION }} - api_location: ${{ env.API_LOCATION }} - app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }} - ###### End of Repository/Build Configurations ###### - - close_pull_request_job: - permissions: - contents: none - if: github.event_name == 'pull_request' && github.event.action == 'closed' - runs-on: ubuntu-latest - name: Close Pull Request Job - steps: - - name: Close Pull Request - id: closepullrequest - uses: Azure/static-web-apps-deploy@v1 - with: - azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app - action: "close" +# This workflow will build and push a web application to an Azure Static Web App when you change your code. +# +# This workflow assumes you have already created the target Azure Static Web App. +# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript +# +# To configure this workflow: +# +# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token. +# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management +# +# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below). +# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks +name: Deploy web app to Azure Static Web Apps + +on: + push: + branches: + - master + pull_request: + types: [opened, synchronize, reopened, closed] + branches: + - master + +# Environment variables available to all jobs and steps in this workflow +env: + APP_LOCATION: "/" # location of your client code + API_LOCATION: "api" # location of your api source code - optional + APP_ARTIFACT_LOCATION: "build" # location of client code build output + AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app + +permissions: + contents: read + +jobs: + build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + steps: + - uses: actions/checkout@v3 + with: + submodules: true + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match you app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: ${{ env.APP_LOCATION }} + api_location: ${{ env.API_LOCATION }} + app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + permissions: + contents: none + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + action: "close" diff --git a/.github/workflows/azure-webapps-dotnet-core.yml b/.github/workflows/azure-webapps-dotnet-core.yml index a691a44..7c8cb20 100644 --- a/.github/workflows/azure-webapps-dotnet-core.yml +++ b/.github/workflows/azure-webapps-dotnet-core.yml @@ -1,89 +1,89 @@ -# This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode -# -# To configure this workflow: -# -# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. -# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials -# -# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and DOTNET_VERSION environment variables below. -# -# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions -# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples - -name: Build and deploy ASP.Net Core app to an Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - DOTNET_VERSION: '5' # set this to the .NET Core version to use - -on: - push: - branches: - - master - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Set up .NET Core - uses: actions/setup-dotnet@v3 - with: - dotnet-version: ${{ env.DOTNET_VERSION }} - - - name: Set up dependency caching for faster builds - uses: actions/cache@v3 - with: - path: ~/.nuget/packages - key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} - restore-keys: | - ${{ runner.os }}-nuget- - - - name: Build with dotnet - run: dotnet build --configuration Release - - - name: dotnet publish - run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 - with: - name: .net-app - path: ${{env.DOTNET_ROOT}}/myapp - - deploy: - permissions: - contents: none - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v3 - with: - name: .net-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} +# This workflow will build and push a .NET Core app to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-dotnetcore?tabs=net60&pivots=development-environment-vscode +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and DOTNET_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy ASP.Net Core app to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + DOTNET_VERSION: '5' # set this to the .NET Core version to use + +on: + push: + branches: + - master + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up .NET Core + uses: actions/setup-dotnet@v3 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: Set up dependency caching for faster builds + uses: actions/cache@v3 + with: + path: ~/.nuget/packages + key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }} + restore-keys: | + ${{ runner.os }}-nuget- + + - name: Build with dotnet + run: dotnet build --configuration Release + + - name: dotnet publish + run: dotnet publish -c Release -o ${{env.DOTNET_ROOT}}/myapp + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: .net-app + path: ${{env.DOTNET_ROOT}}/myapp + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: .net-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/.github/workflows/azure-webapps-java-jar.yml b/.github/workflows/azure-webapps-java-jar.yml index 794d6a8..a889928 100644 --- a/.github/workflows/azure-webapps-java-jar.yml +++ b/.github/workflows/azure-webapps-java-jar.yml @@ -1,80 +1,80 @@ -# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux -# -# To configure this workflow: -# -# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. -# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials -# -# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. -# -# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions -# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples - -name: Build and deploy JAR app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - JAVA_VERSION: '11' # set this to the Java version to use - DISTRIBUTION: zulu # set this to the Java distribution - -on: - push: - branches: - - master - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Set up Java version - uses: actions/setup-java@v3.11.0 - with: - java-version: ${{ env.JAVA_VERSION }} - distribution: ${{ env.DISTRIBUTION }} - cache: 'maven' - - - name: Build with Maven - run: mvn clean install - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 - with: - name: java-app - path: '${{ github.workspace }}/target/*.jar' - - deploy: - permissions: - contents: none - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v3 - with: - name: java-app - - - name: Deploy to Azure Web App - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: '*.jar' +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution + +on: + push: + branches: + - master + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Java version + uses: actions/setup-java@v3.11.0 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} + cache: 'maven' + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' diff --git a/.github/workflows/azure-webapps-node.yml b/.github/workflows/azure-webapps-node.yml index 1376800..3029065 100644 --- a/.github/workflows/azure-webapps-node.yml +++ b/.github/workflows/azure-webapps-node.yml @@ -1,79 +1,79 @@ -# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli -# -# To configure this workflow: -# -# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. -# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials -# -# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below. -# -# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions -# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '14.x' # set this to the node version to use - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Set up Node.js - uses: actions/setup-node@v3 - with: - node-version: ${{ env.NODE_VERSION }} - cache: 'npm' - - - name: npm install, build, and test - run: | - npm install - npm run build --if-present - npm run test --if-present - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 - with: - name: node-app - path: . - - deploy: - permissions: - contents: none - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v3 - with: - name: node-app - - - name: 'Deploy to Azure WebApp' - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '14.x' # set this to the node version to use + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Set up Node.js + uses: actions/setup-node@v3 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + + - name: npm install, build, and test + run: | + npm install + npm run build --if-present + npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: node-app + path: . + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: node-app + + - name: 'Deploy to Azure WebApp' + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/.github/workflows/azure-webapps-php.yml b/.github/workflows/azure-webapps-php.yml index 955b03d..ca2ed48 100644 --- a/.github/workflows/azure-webapps-php.yml +++ b/.github/workflows/azure-webapps-php.yml @@ -1,100 +1,100 @@ -# This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-php?pivots=platform-linux -# -# To configure this workflow: -# -# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. -# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials -# -# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PHP_VERSION environment variables below. -# -# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions -# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples - -name: Build and deploy PHP app to Azure Web App - -on: - push: - branches: - - master - workflow_dispatch: - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - PHP_VERSION: '8.x' # set this to the PHP version to use - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Setup PHP - uses: shivammathur/setup-php@9c77701ae57b0c47f6732beebfbdec76e4e5c90a - with: - php-version: ${{ env.PHP_VERSION }} - - - name: Check if composer.json exists - id: check_files - uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b - with: - files: 'composer.json' - - - name: Get Composer Cache Directory - id: composer-cache - if: steps.check_files.outputs.files_exists == 'true' - run: | - echo "::set-output name=dir::$(composer config cache-files-dir)" - - - name: Set up dependency caching for faster installs - uses: actions/cache@v3 - if: steps.check_files.outputs.files_exists == 'true' - with: - path: ${{ steps.composer-cache.outputs.dir }} - key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} - restore-keys: | - ${{ runner.os }}-composer- - - - name: Run composer install if composer.json exists - if: steps.check_files.outputs.files_exists == 'true' - run: composer validate --no-check-publish && composer install --prefer-dist --no-progress - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v3 - with: - name: php-app - path: . - - deploy: - permissions: - contents: none - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v3 - with: - name: php-app - - - name: 'Deploy to Azure Web App' - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: . +# This workflow will build and push a PHP application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-php?pivots=platform-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and PHP_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy PHP app to Azure Web App + +on: + push: + branches: + - master + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + PHP_VERSION: '8.x' # set this to the PHP version to use + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Setup PHP + uses: shivammathur/setup-php@9c77701ae57b0c47f6732beebfbdec76e4e5c90a + with: + php-version: ${{ env.PHP_VERSION }} + + - name: Check if composer.json exists + id: check_files + uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b + with: + files: 'composer.json' + + - name: Get Composer Cache Directory + id: composer-cache + if: steps.check_files.outputs.files_exists == 'true' + run: | + echo "::set-output name=dir::$(composer config cache-files-dir)" + + - name: Set up dependency caching for faster installs + uses: actions/cache@v3 + if: steps.check_files.outputs.files_exists == 'true' + with: + path: ${{ steps.composer-cache.outputs.dir }} + key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-composer- + + - name: Run composer install if composer.json exists + if: steps.check_files.outputs.files_exists == 'true' + run: composer validate --no-check-publish && composer install --prefer-dist --no-progress + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: php-app + path: . + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: php-app + + - name: 'Deploy to Azure Web App' + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: . diff --git a/.github/workflows/azure-webapps-python.yml b/.github/workflows/azure-webapps-python.yml index 85aafc7..b4d791c 100644 --- a/.github/workflows/azure-webapps-python.yml +++ b/.github/workflows/azure-webapps-python.yml @@ -1,87 +1,87 @@ -# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask -# -# To configure this workflow: -# -# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. -# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials -# -# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. -# -# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions -# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy -# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples - -name: Build and deploy Python app to Azure Web App - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App - PYTHON_VERSION: '3.8' # set this to the Python version to use - -on: - push: - branches: - - master - workflow_dispatch: - -permissions: - contents: read - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Set up Python version - uses: actions/setup-python@v4.6.1 - with: - python-version: ${{ env.PYTHON_VERSION }} - cache: 'pip' - - - name: Create and start virtual environment - run: | - python -m venv venv - source venv/bin/activate - - - name: Install dependencies - run: pip install -r requirements.txt - - # Optional: Add step to run tests here (PyTest, Django test suites, etc.) - - - name: Upload artifact for deployment jobs - uses: actions/upload-artifact@v3 - with: - name: python-app - path: | - . - !venv/ - - deploy: - permissions: - contents: none - runs-on: ubuntu-latest - needs: build - environment: - name: 'Development' - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - name: Download artifact from build job - uses: actions/download-artifact@v3 - with: - name: python-app - path: . - - - name: 'Deploy to Azure Web App' - id: deploy-to-webapp - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} +# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy Python app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '3.8' # set this to the Python version to use + +on: + push: + branches: + - master + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Set up Python version + uses: actions/setup-python@v4.6.1 + with: + python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v3 + with: + name: python-app + path: | + . + !venv/ + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} diff --git a/.github/workflows/azure.yml b/.github/workflows/azure.yml index f3040b7..7450411 100644 --- a/.github/workflows/azure.yml +++ b/.github/workflows/azure.yml @@ -1,50 +1,50 @@ -# This workflow will build and push a node.js application to an Azure Web App when a release is created. -# -# This workflow assumes you have already created the target Azure App Service web app. -# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan -# -# To configure this workflow: -# -# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. -# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings -# -# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. -# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret -# -# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -on: - release: - types: [created] - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '10.x' # set this to the node version to use - -jobs: - build-and-deploy: - name: Build and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - uses: actions/checkout@v3 - - name: Use Node.js ${{ env.NODE_VERSION }} - uses: actions/setup-node@v3 - with: - node-version: ${{ env.NODE_VERSION }} - - name: npm install, build, and test - run: | - # Build and test the project, then - # deploy to Azure Web App. - npm install - npm run build --if-present - npm run test --if-present - - name: 'Deploy to Azure WebApp' - uses: azure/webapps-deploy@v2 - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} +# This workflow will build and push a node.js application to an Azure Web App when a release is created. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/azure/app-service/app-service-plan-manage#create-an-app-service-plan +# +# To configure this workflow: +# +# 1. For Linux apps, add an app setting called WEBSITE_WEBDEPLOY_USE_SCM and set it to true in your app **before downloading the file**. +# For more instructions see: https://docs.microsoft.com/azure/app-service/configure-common#configure-app-settings +# +# 2. Set up a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE with the value of your Azure publish profile. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the values for the AZURE_WEBAPP_NAME, AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables (below). +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +on: + release: + types: [created] + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '10.x' # set this to the node version to use + +jobs: + build-and-deploy: + name: Build and Deploy + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v3 + - name: Use Node.js ${{ env.NODE_VERSION }} + uses: actions/setup-node@v3 + with: + node-version: ${{ env.NODE_VERSION }} + - name: npm install, build, and test + run: | + # Build and test the project, then + # deploy to Azure Web App. + npm install + npm run build --if-present + npm run test --if-present + - name: 'Deploy to Azure WebApp' + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml index 207ce9c..1ef898b 100644 --- a/.github/workflows/brakeman.yml +++ b/.github/workflows/brakeman.yml @@ -1,57 +1,57 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates Brakeman with GitHub's Code Scanning feature -# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications - -name: Brakeman Scan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '22 16 * * 0' - -permissions: - contents: read - -jobs: - brakeman-scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - name: Brakeman Scan - runs-on: ubuntu-latest - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Customize the ruby version depending on your needs - - name: Setup Ruby - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 - with: - ruby-version: '2.7' - - - name: Setup Brakeman - env: - BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ - run: | - gem install brakeman --version $BRAKEMAN_VERSION - - # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis - - name: Scan - continue-on-error: true - run: | - brakeman -f sarif -o output.sarif.json . - - # Upload the SARIF file generated in the previous step - - name: Upload SARIF - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: output.sarif.json +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates Brakeman with GitHub's Code Scanning feature +# Brakeman is a static analysis security vulnerability scanner for Ruby on Rails applications + +name: Brakeman Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '22 16 * * 0' + +permissions: + contents: read + +jobs: + brakeman-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Brakeman Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Customize the ruby version depending on your needs + - name: Setup Ruby + uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 + with: + ruby-version: '2.7' + + - name: Setup Brakeman + env: + BRAKEMAN_VERSION: '4.10' # SARIF support is provided in Brakeman version 4.10+ + run: | + gem install brakeman --version $BRAKEMAN_VERSION + + # Execute Brakeman CLI and generate a SARIF output with the security issues identified during the analysis + - name: Scan + continue-on-error: true + run: | + brakeman -f sarif -o output.sarif.json . + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: output.sarif.json diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml index 1138db3..f3e8062 100644 --- a/.github/workflows/checkmarx.yml +++ b/.github/workflows/checkmarx.yml @@ -1,54 +1,54 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action - -name: CxFlow - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '33 7 * * 5' - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action -permissions: - contents: read - -jobs: - # This workflow contains a single job called "build" - build: - # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action - permissions: - contents: read # for actions/checkout to fetch code - issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues - pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - - # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs - - name: Checkmarx CxFlow Action - uses: checkmarx-ts/checkmarx-cxflow-github-action@9c07e2adcb17d0fdf60f3184ff53720513ea3c09 - with: - project: ${{ secrets.CHECKMARX_PROJECT }} - team: ${{ secrets.CHECKMARX_TEAMS }} - checkmarx_url: ${{ secrets.CHECKMARX_URL }} - checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} - checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} - checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} - scanners: sast - params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory - # Upload the Report for CodeQL/Security Alerts - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: cx.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '33 7 * * 5' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@9c07e2adcb17d0fdf60f3184ff53720513ea3c09 + with: + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filterSeverity --cx-flow.filterCategory + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: cx.sarif diff --git a/.github/workflows/clj-holmes.yml b/.github/workflows/clj-holmes.yml index 480f215..3dc860c 100644 --- a/.github/workflows/clj-holmes.yml +++ b/.github/workflows/clj-holmes.yml @@ -1,47 +1,47 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: clj-holmes - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '15 13 * * 5' - -permissions: - contents: read - -jobs: - clj-holmes: - name: Run clj-holmes scanning - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Scan code - uses: clj-holmes/clj-holmes-action@53daa4da4ff495cccf791e4ba4222a8317ddae9e - with: - rules-repository: 'git://org/private-rules-repo#main' - output-type: 'sarif' - output-file: 'clj-holmes-results.sarif' - fail-on-result: 'false' - - - name: Upload analysis results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{github.workspace}}/clj-holmes-results.sarif - ait-for-processing: true - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: clj-holmes + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '15 13 * * 5' + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-holmes scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Scan code + uses: clj-holmes/clj-holmes-action@53daa4da4ff495cccf791e4ba4222a8317ddae9e + with: + rules-repository: 'git://org/private-rules-repo#main' + output-type: 'sarif' + output-file: 'clj-holmes-results.sarif' + fail-on-result: 'false' + + - name: Upload analysis results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-holmes-results.sarif + ait-for-processing: true + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/clj-watson.yml b/.github/workflows/clj-watson.yml index 20c0564..92f9dbf 100644 --- a/.github/workflows/clj-watson.yml +++ b/.github/workflows/clj-watson.yml @@ -1,53 +1,53 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# clj-watson scans dependencies in a clojure deps.edn -# seeking for vulnerable direct/transitive dependencies and -# build a report with all the information needed to help you -# understand how the vulnerability manifest in your software. -# More details at https://github.com/clj-holmes/clj-watson - -name: clj-watson - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '19 10 * * 0' - -permissions: - contents: read - -jobs: - clj-holmes: - name: Run clj-watson scanning - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Dependency scan - uses: clj-holmes/clj-watson-action@b4c3623c4d603932e60e6012a3a1db7bc60058c2 - with: - clj-watson-sha: "65d928c" - clj-watson-tag: "v4.0.1" - database-strategy: github-advisory - aliases: clojure-lsp,test - deps-edn-path: deps.edn - suggest-fix: true - output-type: sarif - output-file: clj-watson-results.sarif - fail-on-result: false - - - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{github.workspace}}/clj-watson-results.sarif - wait-for-processing: true +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# clj-watson scans dependencies in a clojure deps.edn +# seeking for vulnerable direct/transitive dependencies and +# build a report with all the information needed to help you +# understand how the vulnerability manifest in your software. +# More details at https://github.com/clj-holmes/clj-watson + +name: clj-watson + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '19 10 * * 0' + +permissions: + contents: read + +jobs: + clj-holmes: + name: Run clj-watson scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Dependency scan + uses: clj-holmes/clj-watson-action@b4c3623c4d603932e60e6012a3a1db7bc60058c2 + with: + clj-watson-sha: "65d928c" + clj-watson-tag: "v4.0.1" + database-strategy: github-advisory + aliases: clojure-lsp,test + deps-edn-path: deps.edn + suggest-fix: true + output-type: sarif + output-file: clj-watson-results.sarif + fail-on-result: false + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{github.workspace}}/clj-watson-results.sarif + wait-for-processing: true diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index bca5600..015cebc 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -1,60 +1,60 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow checks out code, performs a Codacy security scan -# and integrates the results with the -# GitHub Advanced Security code scanning feature. For more information on -# the Codacy security scan action usage and parameters, see -# https://github.com/codacy/codacy-analysis-cli-action. -# For more information on Codacy Analysis CLI in general, see -# https://github.com/codacy/codacy-analysis-cli. - -name: Codacy Security Scan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '37 2 * * 3' - -permissions: - contents: read - -jobs: - codacy-security-scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - name: Codacy Security Scan - runs-on: ubuntu-latest - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout code - uses: actions/checkout@v3 - - # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis - - name: Run Codacy Analysis CLI - uses: codacy/codacy-analysis-cli-action@fde117cc9d692f9e6f9221272c7b65a2f659f064 - with: - # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository - # You can also omit the token and run the tools that support default configurations - project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} - verbose: true - output: results.sarif - format: sarif - # Adjust severity of non-security issues - gh-code-scanning-compat: true - # Force 0 exit code to allow SARIF file generation - # This will handover control about PR rejection to the GitHub side - max-allowed-issues: 2147483647 - - # Upload the SARIF file generated in the previous step - - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '37 2 * * 3' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v3 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@fde117cc9d692f9e6f9221272c7b65a2f659f064 + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e84ec2c..7d33837 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,76 +1,76 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '31 22 * * 6' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '31 22 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml index 79006ad..d52cf12 100644 --- a/.github/workflows/codescan.yml +++ b/.github/workflows/codescan.yml @@ -1,48 +1,48 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow requires that you have an existing account with codescan.io -# For more information about configuring your workflow, -# read our documentation at https://github.com/codescan-io/codescan-scanner-action -name: CodeScan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '22 16 * * 2' - -permissions: - contents: read - -jobs: - CodeScan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Cache files - uses: actions/cache@v3 - with: - path: | - ~/.sonar - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Run Analysis - uses: codescan-io/codescan-scanner-action@34bb1239ae63550b540bb82f8f5de370ecb34d99 - with: - login: ${{ secrets.CODESCAN_AUTH_TOKEN }} - organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} - projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: codescan.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '22 16 * * 2' + +permissions: + contents: read + +jobs: + CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Cache files + uses: actions/cache@v3 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@34bb1239ae63550b540bb82f8f5de370ecb34d99 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: codescan.sarif diff --git a/.github/workflows/codescaner-analysis.yml b/.github/workflows/codescaner-analysis.yml index 2804ef6..9dde7b9 100644 --- a/.github/workflows/codescaner-analysis.yml +++ b/.github/workflows/codescaner-analysis.yml @@ -1,37 +1,37 @@ -# This workflow requires that you have an existing account with codescan.io -# For more information about configuring your workflow, -# read our documentation at https://github.com/codescan-io/codescan-scanner-action -name: CodeScan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '32 22 * * 2' - -jobs: - CodeScan: - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - name: Cache files - uses: actions/cache@v3 - with: - path: | - ~/.sonar - key: ${{ runner.os }}-sonar - restore-keys: ${{ runner.os }}-sonar - - name: Run Analysis - uses: codescan-io/codescan-scanner-action@master - with: - login: ${{ secrets.CODESCAN_AUTH_TOKEN }} - organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} - projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: codescan.sarif +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '32 22 * * 2' + +jobs: + CodeScan: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Cache files + uses: actions/cache@v3 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@master + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: codescan.sarif diff --git a/.github/workflows/crunch42.yml b/.github/workflows/crunch42.yml index 14ed122..f387276 100644 --- a/.github/workflows/crunch42.yml +++ b/.github/workflows/crunch42.yml @@ -1,59 +1,59 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow locates REST API file contracts -# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) -# and runs 200+ security checks on them using 42Crunch Security Audit technology. -# -# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm -# -# To use this workflow, you will need to complete the following setup steps. -# -# 1. Create a free 42Crunch account at https://platform.42crunch.com/register -# -# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm -# to create an API Token on the 42Crunch platform -# -# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, -# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow -# -# If you have any questions or need help contact https://support.42crunch.com - -name: "42Crunch REST API Static Security Testing" - -# follow standard Code Scanning triggers -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '35 17 * * 6' - -permissions: - contents: read - -jobs: - rest-api-static-security-testing: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: 42Crunch REST API Static Security Testing - uses: 42Crunch/api-security-audit-action@ae75e3c3693658c6bfab6e1d4650185c402fd6f9 - with: - # Please create free account at https://platform.42crunch.com/register - # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm - api-token: ${{ secrets.API_TOKEN }} - # Fail if any OpenAPI file scores lower than 75 - min-score: 75 - # Upload results to Github code scanning - upload-to-code-scanning: true - # Github token for uploading the results - github-token: ${{ github.token }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts +# (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 200+ security checks on them using 42Crunch Security Audit technology. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a free 42Crunch account at https://platform.42crunch.com/register +# +# 2. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 3. Add a secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm, +# store the 42Crunch API Token in that secret, and supply the secret's name as api-token parameter in this workflow +# +# If you have any questions or need help contact https://support.42crunch.com + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '35 17 * * 6' + +permissions: + contents: read + +jobs: + rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@ae75e3c3693658c6bfab6e1d4650185c402fd6f9 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} diff --git a/.github/workflows/datadog-synthetics.yml b/.github/workflows/datadog-synthetics.yml index e9a0926..3d52f49 100644 --- a/.github/workflows/datadog-synthetics.yml +++ b/.github/workflows/datadog-synthetics.yml @@ -1,38 +1,38 @@ -# This workflow will trigger Datadog Synthetic tests within your Datadog organisation -# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# To get started: - -# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. -# 2. Start using the action within your workflow - -name: Run Datadog Synthetic tests - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - # Run Synthetic tests within your GitHub workflow. - # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci - - name: Run Datadog Synthetic tests - uses: DataDog/synthetics-ci-github-action@a3ae3be10856e996d9f1f7bd188c4a449c7746c9 - with: - api_key: ${{secrets.DD_API_KEY}} - app_key: ${{secrets.DD_APP_KEY}} - test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy - - +# This workflow will trigger Datadog Synthetic tests within your Datadog organisation +# For more information on running Synthetic tests within your GitHub workflows see: https://docs.datadoghq.com/synthetics/cicd_integrations/github_actions/ + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# To get started: + +# 1. Add your Datadog API (DD_API_KEY) and Application Key (DD_APP_KEY) as secrets to your GitHub repository. For more information, see: https://docs.datadoghq.com/account_management/api-app-keys/. +# 2. Start using the action within your workflow + +name: Run Datadog Synthetic tests + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + # Run Synthetic tests within your GitHub workflow. + # For additional configuration options visit the action within the marketplace: https://github.com/marketplace/actions/datadog-synthetics-ci + - name: Run Datadog Synthetic tests + uses: DataDog/synthetics-ci-github-action@a3ae3be10856e996d9f1f7bd188c4a449c7746c9 + with: + api_key: ${{secrets.DD_API_KEY}} + app_key: ${{secrets.DD_APP_KEY}} + test_search_query: 'tag:e2e-tests' #Modify this tag to suit your tagging strategy + + diff --git a/.github/workflows/deno.yml b/.github/workflows/deno.yml index 52f65c4..c6c1d9c 100644 --- a/.github/workflows/deno.yml +++ b/.github/workflows/deno.yml @@ -1,39 +1,39 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow will install Deno and run tests across stable and nightly builds on Windows, Ubuntu and macOS. -# For more information see: https://github.com/denolib/setup-deno - -name: Deno - -on: - push: - branches: [master] - pull_request: - branches: [master] - -jobs: - test: - runs-on: ${{ matrix.os }} # runs a test on Ubuntu, Windows and macOS - - strategy: - matrix: - deno: ["v1.x", "nightly"] - os: [macOS-latest, windows-latest, ubuntu-latest] - - steps: - - name: Setup repo - uses: actions/checkout@v3 - - - name: Setup Deno - uses: denolib/setup-deno@3c5f954c869f1b0d106e129797480905587250f5 - with: - deno-version: ${{ matrix.deno }} # tests across multiple Deno versions - - - name: Cache Dependencies - run: deno cache deps.ts - - - name: Run Tests - run: deno test -A --unstable +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will install Deno and run tests across stable and nightly builds on Windows, Ubuntu and macOS. +# For more information see: https://github.com/denolib/setup-deno + +name: Deno + +on: + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + test: + runs-on: ${{ matrix.os }} # runs a test on Ubuntu, Windows and macOS + + strategy: + matrix: + deno: ["v1.x", "nightly"] + os: [macOS-latest, windows-latest, ubuntu-latest] + + steps: + - name: Setup repo + uses: actions/checkout@v3 + + - name: Setup Deno + uses: denolib/setup-deno@3c5f954c869f1b0d106e129797480905587250f5 + with: + deno-version: ${{ matrix.deno }} # tests across multiple Deno versions + + - name: Cache Dependencies + run: deno cache deps.ts + + - name: Run Tests + run: deno test -A --unstable diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 7258766..fab0e4d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,24 +1,24 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: 'Checkout Repository' - uses: actions/checkout@v3 - - name: 'Dependency Review' - uses: actions/dependency-review-action@v3 - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v3 + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/detekt.yml b/.github/workflows/detekt.yml index d42c42c..0c22dbc 100644 --- a/.github/workflows/detekt.yml +++ b/.github/workflows/detekt.yml @@ -1,118 +1,118 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow performs a static analysis of your Kotlin source code using -# Detekt. -# -# Scans are triggered: -# 1. On every push to default and protected branches -# 2. On every Pull Request targeting the default branch -# 3. On a weekly schedule -# 4. Manually, on demand, via the "workflow_dispatch" event -# -# The workflow should work with no modifications, but you might like to use a -# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG -# environment variable. -name: Scan with Detekt - -on: - # Triggers the workflow on push or pull request events but only for default and protected branches - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '45 19 * * 6' - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -env: - # Release tag associated with version of Detekt to be installed - # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 - DETEKT_RELEASE_TAG: v1.15.0 - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "scan" - scan: - name: Scan - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v3 - - # Gets the download URL associated with the $DETEKT_RELEASE_TAG - - name: Get Detekt download URL - id: detekt_info - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' - query getReleaseAssetDownloadUrl($tagName: String!) { - repository(name: "detekt", owner: "detekt") { - release(tagName: $tagName) { - releaseAssets(name: "detekt", first: 1) { - nodes { - downloadUrl - } - } - tagCommit { - oid - } - } - } - } - ' 1> gh_response.json - - DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) - if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then - echo "Release tag doesn't match expected commit SHA" - exit 1 - fi - - DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) - echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" - - # Sets up the detekt cli - - name: Setup Detekt - run: | - dest=$( mktemp -d ) - curl --request GET \ - --url ${{ steps.detekt_info.outputs.download_url }} \ - --silent \ - --location \ - --output $dest/detekt - chmod a+x $dest/detekt - echo $dest >> $GITHUB_PATH - - # Performs static analysis using Detekt - - name: Run Detekt - continue-on-error: true - run: | - detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json - - # Modifies the SARIF output produced by Detekt so that absolute URIs are relative - # This is so we can easily map results onto their source files - # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA - - name: Make artifact location URIs relative - continue-on-error: true - run: | - echo "$( - jq \ - --arg github_workspace ${{ github.workspace }} \ - '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ - ${{ github.workspace }}/detekt.sarif.json - )" > ${{ github.workspace }}/detekt.sarif.json - - # Uploads results to GitHub repository using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: ${{ github.workspace }}/detekt.sarif.json - checkout_path: ${{ github.workspace }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your Kotlin source code using +# Detekt. +# +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event +# +# The workflow should work with no modifications, but you might like to use a +# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG +# environment variable. +name: Scan with Detekt + +on: + # Triggers the workflow on push or pull request events but only for default and protected branches + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '45 19 * * 6' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +env: + # Release tag associated with version of Detekt to be installed + # SARIF support (required for this workflow) was introduced in Detekt v1.15.0 + DETEKT_RELEASE_TAG: v1.15.0 + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "scan" + scan: + name: Scan + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v3 + + # Gets the download URL associated with the $DETEKT_RELEASE_TAG + - name: Get Detekt download URL + id: detekt_info + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + gh api graphql --field tagName=$DETEKT_RELEASE_TAG --raw-field query=' + query getReleaseAssetDownloadUrl($tagName: String!) { + repository(name: "detekt", owner: "detekt") { + release(tagName: $tagName) { + releaseAssets(name: "detekt", first: 1) { + nodes { + downloadUrl + } + } + tagCommit { + oid + } + } + } + } + ' 1> gh_response.json + + DETEKT_RELEASE_SHA=$(jq --raw-output '.data.repository.release.releaseAssets.tagCommit.oid' gh_response.json) + if [ $DETEKT_RELEASE_SHA != "37f0a1d006977512f1f216506cd695039607c3e5" ]; then + echo "Release tag doesn't match expected commit SHA" + exit 1 + fi + + DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json) + echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL" + + # Sets up the detekt cli + - name: Setup Detekt + run: | + dest=$( mktemp -d ) + curl --request GET \ + --url ${{ steps.detekt_info.outputs.download_url }} \ + --silent \ + --location \ + --output $dest/detekt + chmod a+x $dest/detekt + echo $dest >> $GITHUB_PATH + + # Performs static analysis using Detekt + - name: Run Detekt + continue-on-error: true + run: | + detekt --input ${{ github.workspace }} --report sarif:${{ github.workspace }}/detekt.sarif.json + + # Modifies the SARIF output produced by Detekt so that absolute URIs are relative + # This is so we can easily map results onto their source files + # This can be removed once relative URI support lands in Detekt: https://git.io/JLBbA + - name: Make artifact location URIs relative + continue-on-error: true + run: | + echo "$( + jq \ + --arg github_workspace ${{ github.workspace }} \ + '. | ( .runs[].results[].locations[].physicalLocation.artifactLocation.uri |= if test($github_workspace) then .[($github_workspace | length | . + 1):] else . end )' \ + ${{ github.workspace }}/detekt.sarif.json + )" > ${{ github.workspace }}/detekt.sarif.json + + # Uploads results to GitHub repository using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: ${{ github.workspace }}/detekt.sarif.json + checkout_path: ${{ github.workspace }} diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 417f182..ebe3c96 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -1,38 +1,38 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: DevSkim - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '22 0 * * 6' - -jobs: - lint: - name: DevSkim - runs-on: ubuntu-20.04 - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run DevSkim scanner - uses: microsoft/DevSkim-Action@v1 - - - name: Upload DevSkim scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: devskim-results.sarif - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '22 0 * * 6' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: devskim-results.sarif + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 85da952..73ac519 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,18 +1,18 @@ -name: Docker Image CI - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) +name: Docker Image CI + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag my-image-name:$(date +%s) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e780c5e..9a83aae 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -1,93 +1,93 @@ -name: Docker - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -on: - schedule: - - cron: '35 6 * * *' - push: - branches: [ master ] - # Publish semver tags as releases. - tags: [ 'v*.*.*' ] - pull_request: - branches: [ master ] - -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - - -jobs: - build: - - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - # This is used to complete the identity challenge - # with sigstore/fulcio when running outside of PRs. - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Install the cosign tool except on PR - # https://github.com/sigstore/cosign-installer - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 - with: - cosign-release: 'v1.7.1' - - - # Workaround: https://github.com/docker/build-push-action/issues/461 - - name: Setup Docker buildx - uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a - - # Login against a Docker registry except on PR - # https://github.com/docker/login-action - - name: Log into registry ${{ env.REGISTRY }} - if: github.event_name != 'pull_request' - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - # Extract metadata (tags, labels) for Docker - # https://github.com/docker/metadata-action - - name: Extract Docker metadata - id: meta - uses: docker/metadata-action@ef25336f420be2d1a49205baf41a9b88712a65a1 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - # Build and push Docker image with Buildx (don't push on PR) - # https://github.com/docker/build-push-action - - name: Build and push Docker image - id: build-and-push - uses: docker/build-push-action@68d0dc20df34f84bca5214ce60a32e2d589dbaf2 - with: - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - # Sign the resulting Docker image digest except on PRs. - # This will only write to the public Rekor transparency log when the Docker - # repository is public to avoid leaking data. If you would like to publish - # transparency data even for private images, pass --force to cosign below. - # https://github.com/sigstore/cosign - - name: Sign the published Docker image - if: ${{ github.event_name != 'pull_request' }} - env: - COSIGN_EXPERIMENTAL: "true" - # This step uses the identity token to provision an ephemeral certificate - # against the sigstore community Fulcio instance. - run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + schedule: + - cron: '35 6 * * *' + push: + branches: [ master ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ master ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 + with: + cosign-release: 'v1.7.1' + + + # Workaround: https://github.com/docker/build-push-action/issues/461 + - name: Setup Docker buildx + uses: docker/setup-buildx-action@16c0bc4a6e6ada2cfd8afd41d22d95379cf7c32a + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@ef25336f420be2d1a49205baf41a9b88712a65a1 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@68d0dc20df34f84bca5214ce60a32e2d589dbaf2 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + COSIGN_EXPERIMENTAL: "true" + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: cosign sign ${{ steps.meta.outputs.tags }}@${{ steps.build-and-push.outputs.digest }} diff --git a/.github/workflows/eslint.yml b/.github/workflows/eslint.yml index 22b9c5d..77708b4 100644 --- a/.github/workflows/eslint.yml +++ b/.github/workflows/eslint.yml @@ -1,49 +1,49 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# ESLint is a tool for identifying and reporting on patterns -# found in ECMAScript/JavaScript code. -# More details at https://github.com/eslint/eslint -# and https://eslint.org - -name: ESLint - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '30 7 * * 0' - -jobs: - eslint: - name: Run eslint scanning - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Install ESLint - run: | - npm install eslint@8.10.0 - npm install @microsoft/eslint-formatter-sarif@2.1.7 - - - name: Run ESLint - run: npx eslint . - --config .eslintrc.js - --ext .js,.jsx,.ts,.tsx - --format @microsoft/eslint-formatter-sarif - --output-file eslint-results.sarif - continue-on-error: true - - - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: eslint-results.sarif - wait-for-processing: true +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# ESLint is a tool for identifying and reporting on patterns +# found in ECMAScript/JavaScript code. +# More details at https://github.com/eslint/eslint +# and https://eslint.org + +name: ESLint + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '30 7 * * 0' + +jobs: + eslint: + name: Run eslint scanning + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install ESLint + run: | + npm install eslint@8.10.0 + npm install @microsoft/eslint-formatter-sarif@2.1.7 + + - name: Run ESLint + run: npx eslint . + --config .eslintrc.js + --ext .js,.jsx,.ts,.tsx + --format @microsoft/eslint-formatter-sarif + --output-file eslint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: eslint-results.sarif + wait-for-processing: true diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index b399e52..f0edc7d 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -1,98 +1,98 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -################################################################################################################################################ -# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# -# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # -# or contact our sales team, visit microfocus.com/appsecurity. # -# # -# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# -# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # -# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # -# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # -# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # -# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # -################################################################################################################################################ - -name: Fortify on Demand Scan - -# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time -on: - workflow_dispatch: - push: - branches: [ master ] - schedule: - - cron: '40 3 * * 1' - -jobs: - FoD-SAST-Scan: - # Use the appropriate runner for building your source code. - # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - # Check out source code - - name: Check Out Source Code - uses: actions/checkout@v3 - - # Java is required to run the various Fortify utilities. - # When scanning a Java application, please use the appropriate Java version for building your application. - - name: Setup Java - uses: actions/setup-java@v3 - with: - java-version: 8 - distribution: 'temurin' - - # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. - # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: - # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). - # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. - # ScanCentral has additional options that should be set for PHP and Python projects - # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. - # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ - - name: Download Fortify ScanCentral Client - uses: fortify/gha-setup-scancentral-client@0dd7fb438a6ec17131fd0552b4c105f49c1ab351 - - name: Package Code + Dependencies - run: scancentral package $PACKAGE_OPTS -o package.zip - env: - PACKAGE_OPTS: "-bt mvn" - - # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java - # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: - # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). - # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. - - name: Download Fortify on Demand Universal CI Tool - uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d - - name: Perform SAST Scan - run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" - env: - FOD_URL: "https://ams.fortify.com/" - FOD_API_URL: "https://api.ams.fortify.com/" - FOD_TENANT: ${{ secrets.FOD_TENANT }} - FOD_USER: ${{ secrets.FOD_USER }} - FOD_PAT: ${{ secrets.FOD_PAT }} - FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} - FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" - FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' - - # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. - - name: Export results to GitHub-optimized SARIF - uses: fortify/gha-export-vulnerabilities@710c062be6afe6c5afc15adff75184760fb70493 - with: - fod_base_url: "https://ams.fortify.com/" - fod_tenant: ${{ secrets.FOD_TENANT }} - fod_user: ${{ secrets.FOD_USER }} - fod_password: ${{ secrets.FOD_PAT }} - fod_release_id: ${{ secrets.FOD_RELEASE_ID }} - - # Import Fortify on Demand results to GitHub Security Code Scanning - - name: Import Results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ./gh-fortify-sast.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ master ] + schedule: + - cron: '40 3 * * 1' + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v3 + + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. + - name: Setup Java + uses: actions/setup-java@v3 + with: + java-version: 8 + distribution: 'temurin' + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@0dd7fb438a6ec17131fd0552b4c105f49c1ab351 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@710c062be6afe6c5afc15adff75184760fb70493 + with: + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ./gh-fortify-sast.sarif diff --git a/.github/workflows/google-cloudrun-docker.yml b/.github/workflows/google-cloudrun-docker.yml index 77eb0f6..d206113 100644 --- a/.github/workflows/google-cloudrun-docker.yml +++ b/.github/workflows/google-cloudrun-docker.yml @@ -1,114 +1,114 @@ -# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the master branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Authenticate Docker to Artifact Registry -# 3. Build a docker container -# 4. Publish it to Google Artifact Registry -# 5. Deploy it to Cloud Run -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled: -# -# Cloud Run run.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) -# -# 3. Ensure the required IAM permissions are granted -# -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) -# -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). -# -# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying -# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles -# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege - -name: Build and Deploy to Cloud Run - -on: - push: - branches: - - master - -env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region - -jobs: - deploy: - # Add 'id-token' with the intended permissions for workload identity federation - permissions: - contents: 'read' - id-token: 'write' - - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v1' - with: - token_format: 'access_token' - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com - - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' - - # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) - - # Authenticate Docker to Google Cloud Artifact Registry - - name: Docker Auth - id: docker-auth - uses: 'docker/login-action@v2' - with: - username: 'oauth2accesstoken' - password: '${{ steps.auth.outputs.access_token }}' - registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' - - - name: Build and Push Container - run: |- - docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ - docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" - - # END - Docker auth and build - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v1 - with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If using a pre-built image, update the image name here - image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} - - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} +# This workflow build and push a Docker container to Google Artifact Registry and deploy it on Cloud Run when a commit is pushed to the master branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Authenticate Docker to Artifact Registry +# 3. Build a docker container +# 4. Publish it to Google Artifact Registry +# 5. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the GAR_LOCATION, SERVICE and REGION environment variables (below). +# +# NOTE: To use Google Container Registry instead, replace ${{ env.GAR_LOCATION }}-docker.pkg.dev with gcr.io +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying +# Artifact Registry IAM permissions - https://cloud.google.com/artifact-registry/docs/access-control#roles +# Container Registry vs Artifact Registry - https://cloud.google.com/blog/products/application-development/understanding-artifact-registry-vs-container-registry +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Build and Deploy to Cloud Run + +on: + push: + branches: + - master + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + GAR_LOCATION: YOUR_GAR_LOCATION # TODO: update Artifact Registry location + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v1' + with: + token_format: 'access_token' + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}'' + + # BEGIN - Docker auth and build (NOTE: If you already have a container image, these Docker steps can be omitted) + + # Authenticate Docker to Google Cloud Artifact Registry + - name: Docker Auth + id: docker-auth + uses: 'docker/login-action@v2' + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.access_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + - name: Build and Push Container + run: |- + docker build -t "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" ./ + docker push "${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }}" + + # END - Docker auth and build + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v1 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If using a pre-built image, update the image name here + image: ${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.SERVICE }}:${{ github.sha }} + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/.github/workflows/google-cloudrun-source.yml b/.github/workflows/google-cloudrun-source.yml index 14a9da3..f15f342 100644 --- a/.github/workflows/google-cloudrun-source.yml +++ b/.github/workflows/google-cloudrun-source.yml @@ -1,96 +1,96 @@ -# This workflow will deploy source code on Cloud Run when a commit is pushed to the master branch -# -# Overview: -# -# 1. Authenticate to Google Cloud -# 2. Deploy it to Cloud Run -# -# To configure this workflow: -# -# 1. Ensure the required Google Cloud APIs are enabled: -# -# Cloud Run run.googleapis.com -# Cloud Build cloudbuild.googleapis.com -# Artifact Registry artifactregistry.googleapis.com -# -# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) -# -# 3. Ensure the required IAM permissions are granted -# -# Cloud Run -# roles/run.admin -# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) -# -# Cloud Build -# roles/cloudbuild.builds.editor -# -# Cloud Storage -# roles/storage.objectAdmin -# -# Artifact Registry -# roles/artifactregistry.admin (project or repository level) -# -# NOTE: You should always follow the principle of least privilege when assigning IAM roles -# -# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT -# -# 5. Change the values for the SERVICE and REGION environment variables (below). -# -# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run -# -# Further reading: -# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity -# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy -# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code -# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege - -name: Deploy to Cloud Run from Source - -on: - push: - branches: - - master - -env: - PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id - SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name - REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region - -jobs: - deploy: - # Add 'id-token' with the intended permissions for workload identity federation - permissions: - contents: 'read' - id-token: 'write' - - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Google Auth - id: auth - uses: 'google-github-actions/auth@v1' - with: - workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider - service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com - - # NOTE: Alternative option - authentication via credentials json - # - name: Google Auth - # id: auth - # uses: 'google-github-actions/auth@v0' - # with: - # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' - - - name: Deploy to Cloud Run - id: deploy - uses: google-github-actions/deploy-cloudrun@v1 - with: - service: ${{ env.SERVICE }} - region: ${{ env.REGION }} - # NOTE: If required, update to the appropriate source folder - source: ./ - - # If required, use the Cloud Run url output in later steps - - name: Show Output - run: echo ${{ steps.deploy.outputs.url }} +# This workflow will deploy source code on Cloud Run when a commit is pushed to the master branch +# +# Overview: +# +# 1. Authenticate to Google Cloud +# 2. Deploy it to Cloud Run +# +# To configure this workflow: +# +# 1. Ensure the required Google Cloud APIs are enabled: +# +# Cloud Run run.googleapis.com +# Cloud Build cloudbuild.googleapis.com +# Artifact Registry artifactregistry.googleapis.com +# +# 2. Create and configure Workload Identity Federation for GitHub (https://github.com/google-github-actions/auth#setting-up-workload-identity-federation) +# +# 3. Ensure the required IAM permissions are granted +# +# Cloud Run +# roles/run.admin +# roles/iam.serviceAccountUser (to act as the Cloud Run runtime service account) +# +# Cloud Build +# roles/cloudbuild.builds.editor +# +# Cloud Storage +# roles/storage.objectAdmin +# +# Artifact Registry +# roles/artifactregistry.admin (project or repository level) +# +# NOTE: You should always follow the principle of least privilege when assigning IAM roles +# +# 4. Create GitHub secrets for WIF_PROVIDER and WIF_SERVICE_ACCOUNT +# +# 5. Change the values for the SERVICE and REGION environment variables (below). +# +# For more support on how to run this workflow, please visit https://github.com/marketplace/actions/deploy-to-cloud-run +# +# Further reading: +# Cloud Run runtime service account - https://cloud.google.com/run/docs/securing/service-identity +# Cloud Run IAM permissions - https://cloud.google.com/run/docs/deploying-source-code#permissions_required_to_deploy +# Cloud Run builds from source - https://cloud.google.com/run/docs/deploying-source-code +# Principle of least privilege - https://cloud.google.com/blog/products/identity-security/dont-get-pwned-practicing-the-principle-of-least-privilege + +name: Deploy to Cloud Run from Source + +on: + push: + branches: + - master + +env: + PROJECT_ID: YOUR_PROJECT_ID # TODO: update Google Cloud project id + SERVICE: YOUR_SERVICE_NAME # TODO: update Cloud Run service name + REGION: YOUR_SERVICE_REGION # TODO: update Cloud Run service region + +jobs: + deploy: + # Add 'id-token' with the intended permissions for workload identity federation + permissions: + contents: 'read' + id-token: 'write' + + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Google Auth + id: auth + uses: 'google-github-actions/auth@v1' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' # e.g. - projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider + service_account: '${{ secrets.WIF_SERVICE_ACCOUNT }}' # e.g. - my-service-account@my-project.iam.gserviceaccount.com + + # NOTE: Alternative option - authentication via credentials json + # - name: Google Auth + # id: auth + # uses: 'google-github-actions/auth@v0' + # with: + # credentials_json: '${{ secrets.GCP_CREDENTIALS }}' + + - name: Deploy to Cloud Run + id: deploy + uses: google-github-actions/deploy-cloudrun@v1 + with: + service: ${{ env.SERVICE }} + region: ${{ env.REGION }} + # NOTE: If required, update to the appropriate source folder + source: ./ + + # If required, use the Cloud Run url output in later steps + - name: Show Output + run: echo ${{ steps.deploy.outputs.url }} diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml index b81718f..c4699d2 100644 --- a/.github/workflows/google.yml +++ b/.github/workflows/google.yml @@ -1,80 +1,80 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - release: - types: [created] - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v1.1.1 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v1.0.2 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + release: + types: [created] + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v1.1.1 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v1.0.2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/.github/workflows/googleXs.yml b/.github/workflows/googleXs.yml index 590d25e..8809327 100644 --- a/.github/workflows/googleXs.yml +++ b/.github/workflows/googleXs.yml @@ -1,84 +1,84 @@ -# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). -# -# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). -# -# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke - -name: Build and Deploy to GKE - -on: - release: - types: [created] - -env: - PROJECT_ID: ${{ secrets.GKE_PROJECT }} - GKE_CLUSTER: cluster-1 # TODO: update to cluster name - GKE_ZONE: us-central1-c # TODO: update to cluster zone - DEPLOYMENT_NAME: gke-test # TODO: update to deployment name - IMAGE: static-site - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - - steps: - - name: Checkout - uses: actions/checkout@v3 - - # Setup gcloud CLI - - uses: google-github-actions/setup-gcloud@v1.1.1 - with: - service_account_key: ${{ secrets.GKE_SA_KEY }} - project_id: ${{ secrets.GKE_PROJECT }} - - # Configure Docker to use the gcloud command-line tool as a credential - # helper for authentication - - run: |- - gcloud --quiet auth configure-docker - - - name: DefenseCode ThunderScan Action - uses: defensecode/thunderscan-action@v1.0 - - - # Get the GKE credentials so we can deploy to the cluster - - uses: google-github-actions/get-gke-credentials@v1.0.2 - with: - cluster_name: ${{ env.GKE_CLUSTER }} - location: ${{ env.GKE_ZONE }} - credentials: ${{ secrets.GKE_SA_KEY }} - - # Build the Docker image - - name: Build - run: |- - docker build \ - --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" \ - . - - # Push the Docker image to Google Container Registry - - name: Publish - run: |- - docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" - - # Set up kustomize - - name: Set up Kustomize - run: |- - curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - # Deploy the Docker image to the GKE cluster - - name: Deploy - run: |- - ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl get services -o wide +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + release: + types: [created] + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v3 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v1.1.1 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + - name: DefenseCode ThunderScan Action + uses: defensecode/thunderscan-action@v1.0 + + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v1.0.2 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index cca782c..b5375f0 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -1,47 +1,47 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# hadoint is a Dockerfile linter written in Haskell -# that helps you build best practice Docker images. -# More details at https://github.com/hadolint/hadolint - -name: Hadolint - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '20 13 * * 4' - -permissions: - contents: read - -jobs: - hadolint: - name: Run hadolint scanning - runs-on: ubuntu-latest - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run hadolint - uses: hadolint/hadolint-action@d292784f8f3eacda47060b259a580467b0ba410c - with: - dockerfile: ./Dockerfile - format: sarif - output-file: hadolint-results.sarif - no-fail: true - - - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: hadolint-results.sarif - wait-for-processing: true +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# hadoint is a Dockerfile linter written in Haskell +# that helps you build best practice Docker images. +# More details at https://github.com/hadolint/hadolint + +name: Hadolint + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '20 13 * * 4' + +permissions: + contents: read + +jobs: + hadolint: + name: Run hadolint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run hadolint + uses: hadolint/hadolint-action@d292784f8f3eacda47060b259a580467b0ba410c + with: + dockerfile: ./Dockerfile + format: sarif + output-file: hadolint-results.sarif + no-fail: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: hadolint-results.sarif + wait-for-processing: true diff --git a/.github/workflows/ibm.yml b/.github/workflows/ibm.yml index 45d4c25..b51fdea 100644 --- a/.github/workflows/ibm.yml +++ b/.github/workflows/ibm.yml @@ -1,76 +1,76 @@ -# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the master branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains a Dockerfile -# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY -# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT - -name: Build and Deploy to IKS - -on: - push: - branches: - - master - -# Environment variables available to all jobs and steps in this workflow -env: - GITHUB_SHA: ${{ github.sha }} - IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }} - IBM_CLOUD_REGION: us-south - ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }} - REGISTRY_HOSTNAME: us.icr.io - IMAGE_NAME: iks-test - IKS_CLUSTER: example-iks-cluster-name-or-id - DEPLOYMENT_NAME: iks-test - PORT: 5001 - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - - name: Checkout - uses: actions/checkout@v3 - - # Download and Install IBM Cloud CLI - - name: Install IBM Cloud CLI - run: | - curl -fsSL https://clis.cloud.ibm.com/install/linux | sh - ibmcloud --version - ibmcloud config --check-version=false - ibmcloud plugin install -f kubernetes-service - ibmcloud plugin install -f container-registry - - # Authenticate with IBM Cloud CLI - - name: Authenticate with IBM Cloud CLI - run: | - ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default - ibmcloud cr region-set "${IBM_CLOUD_REGION}" - ibmcloud cr login - - # Build the Docker image - - name: Build with Docker - run: | - docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \ - --build-arg GITHUB_SHA="$GITHUB_SHA" \ - --build-arg GITHUB_REF="$GITHUB_REF" . - - # Push the image to IBM Container Registry - - name: Push the image to ICR - run: | - docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA - - # Deploy the Docker image to the IKS cluster - - name: Deploy to IKS - run: | - ibmcloud ks cluster config --cluster $IKS_CLUSTER - kubectl config current-context - kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml - kubectl apply -f deployment.yaml - kubectl rollout status deployment/$DEPLOYMENT_NAME - kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml - kubectl apply -f service.yaml - kubectl get services -o wide +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the master branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains a Dockerfile +# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY +# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT + +name: Build and Deploy to IKS + +on: + push: + branches: + - master + +# Environment variables available to all jobs and steps in this workflow +env: + GITHUB_SHA: ${{ github.sha }} + IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }} + IBM_CLOUD_REGION: us-south + ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }} + REGISTRY_HOSTNAME: us.icr.io + IMAGE_NAME: iks-test + IKS_CLUSTER: example-iks-cluster-name-or-id + DEPLOYMENT_NAME: iks-test + PORT: 5001 + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + steps: + + - name: Checkout + uses: actions/checkout@v3 + + # Download and Install IBM Cloud CLI + - name: Install IBM Cloud CLI + run: | + curl -fsSL https://clis.cloud.ibm.com/install/linux | sh + ibmcloud --version + ibmcloud config --check-version=false + ibmcloud plugin install -f kubernetes-service + ibmcloud plugin install -f container-registry + + # Authenticate with IBM Cloud CLI + - name: Authenticate with IBM Cloud CLI + run: | + ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default + ibmcloud cr region-set "${IBM_CLOUD_REGION}" + ibmcloud cr login + + # Build the Docker image + - name: Build with Docker + run: | + docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" . + + # Push the image to IBM Container Registry + - name: Push the image to ICR + run: | + docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA + + # Deploy the Docker image to the IKS cluster + - name: Deploy to IKS + run: | + ibmcloud ks cluster config --cluster $IKS_CLUSTER + kubectl config current-context + kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml + kubectl apply -f deployment.yaml + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml + kubectl apply -f service.yaml + kubectl get services -o wide diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml index 5732d6d..7292054 100644 --- a/.github/workflows/jekyll.yml +++ b/.github/workflows/jekyll.yml @@ -1,20 +1,20 @@ -name: Jekyll site CI - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - name: Build the site in the jekyll/builder container - run: | - docker run \ - -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \ - jekyll/builder:latest /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --future" +name: Jekyll site CI + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Build the site in the jekyll/builder container + run: | + docker run \ + -v ${{ github.workspace }}:/srv/jekyll -v ${{ github.workspace }}/_site:/srv/jekyll/_site \ + jekyll/builder:latest /bin/bash -c "chmod -R 777 /srv/jekyll && jekyll build --future" diff --git a/.github/workflows/kubesec.yml b/.github/workflows/kubesec.yml index 552dddc..84b17b8 100644 --- a/.github/workflows/kubesec.yml +++ b/.github/workflows/kubesec.yml @@ -1,41 +1,41 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Kubesec - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '38 9 * * 1' - -jobs: - lint: - name: Kubesec - runs-on: ubuntu-20.04 - permissions: - actions: read - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Run kubesec scanner - uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 - with: - input: file.yaml # specify configuration file to scan here - format: template - template: template/sarif.tpl - output: kubesec-results.sarif - exit-code: "0" - - - name: Upload Kubesec scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: kubesec-results.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '38 9 * * 1' + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: kubesec-results.sarif diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml index 47f24e1..53b17e9 100644 --- a/.github/workflows/manual.yml +++ b/.github/workflows/manual.yml @@ -1,30 +1,30 @@ -# This is a basic workflow that is manually triggered - -name: Manual workflow - -# Controls when the action will run. Workflow runs when manually triggered using the UI -# or API. -on: - workflow_dispatch: - # Inputs the workflow accepts. - inputs: - name: - # Friendly description to be shown in the UI instead of 'name' - description: 'Person to greet' - # Default value if no value is explicitly provided - default: 'World' - # Input has to be provided for the workflow to run - required: true - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -jobs: - # This workflow contains a single job called "greet" - greet: - # The type of runner that the job will run on - runs-on: ubuntu-latest - - # Steps represent a sequence of tasks that will be executed as part of the job - steps: - # Runs a single command using the runners shell - - name: Send greeting - run: echo "Hello ${{ github.event.inputs.name }}" +# This is a basic workflow that is manually triggered + +name: Manual workflow + +# Controls when the action will run. Workflow runs when manually triggered using the UI +# or API. +on: + workflow_dispatch: + # Inputs the workflow accepts. + inputs: + name: + # Friendly description to be shown in the UI instead of 'name' + description: 'Person to greet' + # Default value if no value is explicitly provided + default: 'World' + # Input has to be provided for the workflow to run + required: true + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "greet" + greet: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Runs a single command using the runners shell + - name: Send greeting + run: echo "Hello ${{ github.event.inputs.name }}" diff --git a/.github/workflows/mayhem-for-api.yml b/.github/workflows/mayhem-for-api.yml index 8dc3181..2a2b820 100644 --- a/.github/workflows/mayhem-for-api.yml +++ b/.github/workflows/mayhem-for-api.yml @@ -1,66 +1,66 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# -# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API -# to find reliability, performance and security issues before they reach -# production. -# -# To use this workflow, you will need to: -# -# 1. Create a Mayhem for API account at -# https://mayhem4api.forallsecure.com/signup -# -# 2. Create a service account token `mapi organization service-account create -# ` -# -# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" -# -# 4. Update the "Start your API" step to run your API in the background before -# starting the Mayhem for API scan, and update the `api-url` & `api-spec` -# field. -# -# If you have any questions, please contact us at mayhem4api@forallsecure.com - -name: "Mayhem for API" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - -jobs: - mayhem-for-api: - name: Mayhem for API - # Mayhem for API runs on linux, mac and windows - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - - uses: actions/checkout@v3 - - # Run your API in the background. Ideally, the API would run in debug - # mode & send stacktraces back on "500 Internal Server Error" responses - # (don't do this in production though!) - - name: Start your API - run: ./run_your_api.sh & # <- ✏️ update this - - - name: Mayhem for API - uses: ForAllSecure/mapi-action@353b38b08ade35fe6c68053797a619834a8d225d - continue-on-error: true - with: - mapi-token: ${{ secrets.MAPI_TOKEN }} - api-url: https://localhost:8080 # <- ✏️ update this - api-spec: https://localhost:8080/openapi.json # <- ✏️ update this - duration: 60 - sarif-report: mapi.sarif - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: mapi.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# This workflow starts your API and fuzzes it with ForAllSecure Mayhem for API +# to find reliability, performance and security issues before they reach +# production. +# +# To use this workflow, you will need to: +# +# 1. Create a Mayhem for API account at +# https://mayhem4api.forallsecure.com/signup +# +# 2. Create a service account token `mapi organization service-account create +# ` +# +# 3. Add the service account token as a secret in GitHub called "MAPI_TOKEN" +# +# 4. Update the "Start your API" step to run your API in the background before +# starting the Mayhem for API scan, and update the `api-url` & `api-spec` +# field. +# +# If you have any questions, please contact us at mayhem4api@forallsecure.com + +name: "Mayhem for API" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + +jobs: + mayhem-for-api: + name: Mayhem for API + # Mayhem for API runs on linux, mac and windows + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - uses: actions/checkout@v3 + + # Run your API in the background. Ideally, the API would run in debug + # mode & send stacktraces back on "500 Internal Server Error" responses + # (don't do this in production though!) + - name: Start your API + run: ./run_your_api.sh & # <- ✏️ update this + + - name: Mayhem for API + uses: ForAllSecure/mapi-action@353b38b08ade35fe6c68053797a619834a8d225d + continue-on-error: true + with: + mapi-token: ${{ secrets.MAPI_TOKEN }} + api-url: https://localhost:8080 # <- ✏️ update this + api-spec: https://localhost:8080/openapi.json # <- ✏️ update this + duration: 60 + sarif-report: mapi.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: mapi.sarif diff --git a/.github/workflows/mobsf.yml b/.github/workflows/mobsf.yml index d077ba3..adca965 100644 --- a/.github/workflows/mobsf.yml +++ b/.github/workflows/mobsf.yml @@ -1,46 +1,46 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: MobSF - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '20 11 * * 5' - -permissions: - contents: read - -jobs: - mobile-security: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Setup python - uses: actions/setup-python@v4 - with: - python-version: 3.8 - - - name: Run mobsfscan - uses: MobSF/mobsfscan@1a796a0729f9d1a0e1fa4fe6b156fde47f4f3185 - with: - args: . --sarif --output results.sarif || true - - - name: Upload mobsfscan report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MobSF + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '20 11 * * 5' + +permissions: + contents: read + +jobs: + mobile-security: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Setup python + uses: actions/setup-python@v4 + with: + python-version: 3.8 + + - name: Run mobsfscan + uses: MobSF/mobsfscan@1a796a0729f9d1a0e1fa4fe6b156fde47f4f3185 + with: + args: . --sarif --output results.sarif || true + + - name: Upload mobsfscan report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/neuralegion.yml b/.github/workflows/neuralegion.yml index 24f7514..e95d1ac 100644 --- a/.github/workflows/neuralegion.yml +++ b/.github/workflows/neuralegion.yml @@ -1,175 +1,175 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# -# Run a Nexploit Scan -# This action runs a new security scan in Nexploit, or reruns an existing one. -# Build Secure Apps & APIs. Fast. -# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. -# Automatically Tests Every Aspect of Your Apps & APIs -# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports -# Seamlessly integrates with the Tools and Workflows You Already Use -# -# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. -# Spin-Up, Configure and Control Scans with Code -# One file. One command. One scan. No UI needed. -# -# Super-Fast Scans -# -# Interacts with applications and APIs, instead of just crawling them and guessing. -# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. -# -# No False Positives -# -# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. -# -# Comprehensive Security Testing -# -# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. -# -# More information is available on NeuraLegion’s: -# * [Website](https://www.neuralegion.com/) -# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) -# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) -# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) -# -# Inputs -# -# `name` -# -# **Required**. Scan name. -# -# _Example:_ `name: GitHub scan ${{ github.sha }}` -# -# `api_token` -# -# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). -# -# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` -# -# `restart_scan` -# -# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. -# -# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` -# -# `discovery_types` -# -# **Required**. Array of discovery types. The following types are available: -# * `archive` - uses an uploaded HAR-file for a scan -# * `crawler` - uses a crawler to define the attack surface for a scan -# * `oas` - uses an uploaded OpenAPI schema for a scan
-# If no discovery type is specified, `crawler` is applied by default. -# -# _Example:_ -# -# ```yml -# discovery_types: | -# [ "crawler", "archive" ] -# ``` -# -# `file_id` -# -# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). -# -# _Example:_ -# -# ``` -# FILE_ID=$(nexploit-cli archive:upload \ -# --token ${{ secrets.NEXPLOIT_TOKEN }} \ -# --discard true \ -# ./example.har) -# ``` -# -# `crawler_urls` -# -# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. -# -# _Example:_ -# -# ``` -# crawler_urls: | -# [ "http://vulnerable-bank.com" ] -# ``` -# -# `hosts_filter` -# -# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. -# -# Outputs -# -# `url` -# -# Url of the resulting scan -# -# `id` -# -# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: -# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) -# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) -# -# Example usage -# -# Start a new scan with parameters -# -# ```yml -# steps: -# - name: Start Nexploit Scan -# id: start -# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe -# with: -# api_token: ${{ secrets.NEXPLOIT_TOKEN }} -# name: GitHub scan ${{ github.sha }} -# discovery_types: | -# [ "crawler", "archive" ] -# crawler_urls: | -# [ "http://vulnerable-bank.com" ] -# file_id: LiYknMYSdbSZbqgMaC9Sj -# hosts_filter: | -# [ ] -# - name: Get the output scan url -# run: echo "The scan was started on ${{ steps.start.outputs.url }}" -# ``` -# -# Restart an existing scan -# -# ```yml -# steps: -# - name: Start Nexploit Scan -# id: start -# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe -# with: -# api_token: ${{ secrets.NEXPLOIT_TOKEN }} -# name: GitHub scan ${{ github.sha }} -# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ -# - name: Get the output scan url -# run: echo "The scan was started on ${{ steps.start.outputs.url }}" - - -name: "NeuraLegion" - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '30 4 * * 3' - -jobs: - neuralegion_scan: - runs-on: ubuntu-18.04 - name: A job to run a Nexploit scan - steps: - - uses: actions/checkout@v3 - - name: Start Nexploit Scan 🏁 - id: start - uses: NeuraLegion/run-scan@e8a357749253841cb233872e6c1fa9f71bb308f8 - with: - api_token: ${{ secrets.NEURALEGION_TOKEN }} - name: GitHub scan ${{ github.sha }} - discovery_types: | - [ "crawler" ] - crawler_urls: | - [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines – trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesn’t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegion’s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '30 4 * * 3' + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v3 + - name: Start Nexploit Scan 🏁 + id: start + uses: NeuraLegion/run-scan@e8a357749253841cb233872e6c1fa9f71bb308f8 + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml index 95d7d9f..4707323 100644 --- a/.github/workflows/njsscan.yml +++ b/.github/workflows/njsscan.yml @@ -1,45 +1,45 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates njsscan with GitHub's Code Scanning feature -# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications - -name: njsscan sarif - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '17 4 * * 6' - -permissions: - contents: read - -jobs: - njsscan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - name: njsscan code scanning - steps: - - name: Checkout the code - uses: actions/checkout@v3 - - name: nodejsscan scan - id: njsscan - uses: ajinabraham/njsscan-action@74e5a58c1edb363b84c9ddd626b0e22f038ac09e - with: - args: '. --sarif --output results.sarif || true' - - name: Upload njsscan report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates njsscan with GitHub's Code Scanning feature +# nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications + +name: njsscan sarif + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '17 4 * * 6' + +permissions: + contents: read + +jobs: + njsscan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + name: njsscan code scanning + steps: + - name: Checkout the code + uses: actions/checkout@v3 + - name: nodejsscan scan + id: njsscan + uses: ajinabraham/njsscan-action@74e5a58c1edb363b84c9ddd626b0e22f038ac09e + with: + args: '. --sarif --output results.sarif || true' + - name: Upload njsscan report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index f75d5f8..ea701c5 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -1,30 +1,30 @@ -# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions - -name: Node.js CI - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - - runs-on: ubuntu-latest - - strategy: - matrix: - node-version: [10.x, 12.x, 14.x, 15.x] - # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ - - steps: - - uses: actions/checkout@v3 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - run: npm ci - - run: npm run build --if-present - - run: npm test +# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions + +name: Node.js CI + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [10.x, 12.x, 14.x, 15.x] + # See supported Node.js release schedule at https://nodejs.org/en/about/releases/ + + steps: + - uses: actions/checkout@v3 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node-version }} + - run: npm ci + - run: npm run build --if-present + - run: npm test diff --git a/.github/workflows/nowsecure.yml b/.github/workflows/nowsecure.yml index edfeaab..5581d1d 100644 --- a/.github/workflows/nowsecure.yml +++ b/.github/workflows/nowsecure.yml @@ -1,52 +1,52 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# -# NowSecure: The Mobile Security Experts . -# -# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your -# repository. -# -# If you *are not* an existing customer, click here to contact us for licensing and pricing details: -# . -# -# Instructions: -# -# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and -# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit -# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". -# -# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository -# and review the "Security" tab once the action has run. - -name: "NowSecure" - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - nowsecure: - name: NowSecure - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Build your application - run: ./gradlew assembleDebug # Update this to build your Android or iOS application - - - name: Run NowSecure - uses: nowsecure/nowsecure-action@5459f15cabd7040dee56dea24891ce4d291f25b4 - with: - token: ${{ secrets.NS_TOKEN }} - app_file: app-debug.apk # Update this to a path to your .ipa or .apk - group_id: {{ groupId }} # Update this to your desired Platform group ID - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: NowSecure.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must be an existing NowSecure customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. + +name: "NowSecure" + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + nowsecure: + name: NowSecure + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: Run NowSecure + uses: nowsecure/nowsecure-action@5459f15cabd7040dee56dea24891ce4d291f25b4 + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: NowSecure.sarif diff --git a/.github/workflows/npm-grunt.yml b/.github/workflows/npm-grunt.yml index b1ff267..339efa4 100644 --- a/.github/workflows/npm-grunt.yml +++ b/.github/workflows/npm-grunt.yml @@ -1,28 +1,28 @@ -name: NodeJS with Grunt - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - runs-on: ubuntu-latest - - strategy: - matrix: - node-version: [12.x, 14.x, 16.x] - - steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - - name: Build - run: | - npm install - grunt +name: NodeJS with Grunt + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [12.x, 14.x, 16.x] + + steps: + - uses: actions/checkout@v3 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + grunt diff --git a/.github/workflows/npm-gulp.yml b/.github/workflows/npm-gulp.yml index 32297a6..2474c82 100644 --- a/.github/workflows/npm-gulp.yml +++ b/.github/workflows/npm-gulp.yml @@ -1,28 +1,28 @@ -name: NodeJS with Gulp - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - runs-on: ubuntu-latest - - strategy: - matrix: - node-version: [12.x, 14.x, 16.x] - - steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - - name: Build - run: | - npm install - gulp +name: NodeJS with Gulp + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [12.x, 14.x, 16.x] + + steps: + - uses: actions/checkout@v3 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + gulp diff --git a/.github/workflows/npm-publish-github-packages.yml b/.github/workflows/npm-publish-github-packages.yml index 42f900b..3ca9c50 100644 --- a/.github/workflows/npm-publish-github-packages.yml +++ b/.github/workflows/npm-publish-github-packages.yml @@ -1,36 +1,36 @@ -# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages - -name: Node.js Package - -on: - release: - types: [created] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - node-version: 16 - - run: npm ci - - run: npm test - - publish-gpr: - needs: build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - node-version: 16 - registry-url: https://npm.pkg.github.com/ - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 16 + - run: npm ci + - run: npm test + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 16 + registry-url: https://npm.pkg.github.com/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 512c11f..d9018b2 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -1,50 +1,50 @@ -# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages - -name: Node.js Package - -on: - release: - types: [created] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - node-version: 12 - - run: npm ci - - run: npm test - - publish-npm: - needs: build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - node-version: 12 - registry-url: https://registry.npmjs.org/ - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.npm_token}} - - publish-gpr: - needs: build - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 - with: - node-version: 12 - registry-url: https://npm.pkg.github.com/ - - run: npm ci - - run: npm publish - env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} +# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created +# For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages + +name: Node.js Package + +on: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 12 + - run: npm ci + - run: npm test + + publish-npm: + needs: build + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 12 + registry-url: https://registry.npmjs.org/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.npm_token}} + + publish-gpr: + needs: build + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: 12 + registry-url: https://npm.pkg.github.com/ + - run: npm ci + - run: npm publish + env: + NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/openshift.yml b/.github/workflows/openshift.yml index bff4e16..72b17cd 100644 --- a/.github/workflows/openshift.yml +++ b/.github/workflows/openshift.yml @@ -1,187 +1,187 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# 💁 The OpenShift Starter workflow will: -# - Checkout your repository -# - Perform a container image build -# - Push the built image to the GitHub Container Registry (GHCR) -# - Log in to your OpenShift cluster -# - Create an OpenShift app from the image and expose it to the internet - -# ℹ️ Configure your repository and the workflow with the following steps: -# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try -# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to: -# - https://github.com/redhat-actions/oc-login#readme -# - https://docs.github.com/en/actions/reference/encrypted-secrets -# - https://cli.github.com/manual/gh_secret_set -# 3. (Optional) Edit the top-level 'env' section as marked with '🖊️' if the defaults are not suitable for your project. -# 4. (Optional) Edit the build-image step to build your project. -# The default build type is by using a Dockerfile at the root of the repository, -# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build. -# 5. Commit and push the workflow file to your default branch to trigger a workflow run. - -# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. - -name: OpenShift - -env: - # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. - # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. - # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions - OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} - OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} - # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. - OPENSHIFT_NAMESPACE: "" - - # 🖊️ EDIT to set a name for your OpenShift app, or a default one will be generated below. - APP_NAME: "" - - # 🖊️ EDIT with the port your application should be accessible on. - # If the container image exposes *exactly one* port, this can be left blank. - # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app - APP_PORT: "" - - # 🖊️ EDIT to change the image registry settings. - # Registries such as GHCR, Quay.io, and Docker Hub are supported. - IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} - IMAGE_REGISTRY_USER: ${{ github.actor }} - IMAGE_REGISTRY_PASSWORD: ${{ github.token }} - - # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below. - IMAGE_TAGS: "" - -on: - # https://docs.github.com/en/actions/reference/events-that-trigger-workflows - push: - # Edit to the branch(es) you want to build and deploy on each push. - branches: [ master ] - -jobs: - openshift-ci-cd: - name: Build and deploy to OpenShift - # ubuntu-20.04 can also be used. - runs-on: ubuntu-18.04 - environment: production - - outputs: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} - - steps: - - name: Check for required secrets - uses: actions/github-script@v6 - with: - script: | - const secrets = { - OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, - OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, - }; - - const GHCR = "ghcr.io"; - if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { - core.info(`Image registry is ${GHCR} - no registry password required`); - } - else { - core.info("A registry password is required"); - secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; - } - - const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { - if (value.length === 0) { - core.error(`Secret "${name}" is not set`); - return true; - } - core.info(`✔️ Secret "${name}" is set`); - return false; - }); - - if (missingSecrets.length > 0) { - core.setFailed(`❌ At least one required secret is not set in the repository. \n` + - "You can add it using:\n" + - "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + - "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + - "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); - } - else { - core.info(`✅ All the required secrets are set`); - } - - - name: Check out repository - uses: actions/checkout@v3 - - - name: Determine app name - if: env.APP_NAME == '' - run: | - echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV - - - name: Determine image tags - if: env.IMAGE_TAGS == '' - run: | - echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV - - # https://github.com/redhat-actions/buildah-build#readme - - name: Build from Dockerfile - id: build-image - uses: redhat-actions/buildah-build@v2 - with: - image: ${{ env.APP_NAME }} - tags: ${{ env.IMAGE_TAGS }} - - # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs - # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build - # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. - dockerfiles: | - ./Dockerfile - - # https://github.com/redhat-actions/push-to-registry#readme - - name: Push to registry - id: push-image - uses: redhat-actions/push-to-registry@v2 - with: - image: ${{ steps.build-image.outputs.image }} - tags: ${{ steps.build-image.outputs.tags }} - registry: ${{ env.IMAGE_REGISTRY }} - username: ${{ env.IMAGE_REGISTRY_USER }} - password: ${{ env.IMAGE_REGISTRY_PASSWORD }} - - # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} - - - name: Install oc - uses: redhat-actions/openshift-tools-installer@v1 - with: - oc: 4 - - # https://github.com/redhat-actions/oc-login#readme - - name: Log in to OpenShift - uses: redhat-actions/oc-login@v1 - with: - openshift_server_url: ${{ env.OPENSHIFT_SERVER }} - openshift_token: ${{ env.OPENSHIFT_TOKEN }} - insecure_skip_tls_verify: true - namespace: ${{ env.OPENSHIFT_NAMESPACE }} - - # This step should create a deployment, service, and route to run your app and expose it to the internet. - # https://github.com/redhat-actions/oc-new-app#readme - - name: Create and expose app - id: deploy-and-expose - uses: redhat-actions/oc-new-app@v1 - with: - app_name: ${{ env.APP_NAME }} - image: ${{ steps.push-image.outputs.registry-path }} - namespace: ${{ env.OPENSHIFT_NAMESPACE }} - port: ${{ env.APP_PORT }} - - - name: Print application URL - env: - ROUTE: ${{ steps.deploy-and-expose.outputs.route }} - SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} - run: | - [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1) - echo - echo "======================== Your application is available at: ========================" - echo ${{ env.ROUTE }} - echo "===================================================================================" - echo - echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# 💁 The OpenShift Starter workflow will: +# - Checkout your repository +# - Perform a container image build +# - Push the built image to the GitHub Container Registry (GHCR) +# - Log in to your OpenShift cluster +# - Create an OpenShift app from the image and expose it to the internet + +# ℹ️ Configure your repository and the workflow with the following steps: +# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try +# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to: +# - https://github.com/redhat-actions/oc-login#readme +# - https://docs.github.com/en/actions/reference/encrypted-secrets +# - https://cli.github.com/manual/gh_secret_set +# 3. (Optional) Edit the top-level 'env' section as marked with '🖊️' if the defaults are not suitable for your project. +# 4. (Optional) Edit the build-image step to build your project. +# The default build type is by using a Dockerfile at the root of the repository, +# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build. +# 5. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: OpenShift + +env: + # 🖊️ EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # 🖊️ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: "" + + # 🖊️ EDIT to set a name for your OpenShift app, or a default one will be generated below. + APP_NAME: "" + + # 🖊️ EDIT with the port your application should be accessible on. + # If the container image exposes *exactly one* port, this can be left blank. + # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app + APP_PORT: "" + + # 🖊️ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + # 🖊️ EDIT to specify custom tags for the container image, or default tags will be generated below. + IMAGE_TAGS: "" + +on: + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + push: + # Edit to the branch(es) you want to build and deploy on each push. + branches: [ master ] + +jobs: + openshift-ci-cd: + name: Build and deploy to OpenShift + # ubuntu-20.04 can also be used. + runs-on: ubuntu-18.04 + environment: production + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Check for required secrets + uses: actions/github-script@v6 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔️ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v3 + + - name: Determine app name + if: env.APP_NAME == '' + run: | + echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV + + - name: Determine image tags + if: env.IMAGE_TAGS == '' + run: | + echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV + + # https://github.com/redhat-actions/buildah-build#readme + - name: Build from Dockerfile + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.APP_NAME }} + tags: ${{ env.IMAGE_TAGS }} + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. + dockerfiles: | + ./Dockerfile + + # https://github.com/redhat-actions/push-to-registry#readme + - name: Push to registry + id: push-image + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.IMAGE_REGISTRY_USER }} + password: ${{ env.IMAGE_REGISTRY_PASSWORD }} + + # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + # https://github.com/redhat-actions/oc-login#readme + - name: Log in to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + + # This step should create a deployment, service, and route to run your app and expose it to the internet. + # https://github.com/redhat-actions/oc-new-app#readme + - name: Create and expose app + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-image.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} + + - name: Print application URL + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + run: | + [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1) + echo + echo "======================== Your application is available at: ========================" + echo ${{ env.ROUTE }} + echo "===================================================================================" + echo + echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml index 460c678..2ab5a2f 100644 --- a/.github/workflows/ossar-analysis.yml +++ b/.github/workflows/ossar-analysis.yml @@ -1,44 +1,44 @@ -# This workflow integrates a collection of open source static analysis tools -# with GitHub code scanning. For documentation, or to provide feedback, visit -# https://github.com/github/ossar-action -name: OSSAR - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '39 16 * * 6' - -jobs: - OSSAR-Scan: - # OSSAR runs on windows-latest. - # ubuntu-latest and macos-latest support coming soon - runs-on: windows-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Ensure a compatible version of dotnet is installed. - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. - # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. - # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: - # - name: Install .NET - # uses: actions/setup-dotnet@v1 - # with: - # dotnet-version: '3.1.x' - - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar - - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '39 16 * * 6' + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml index c86ca2a..79feada 100644 --- a/.github/workflows/ossar.yml +++ b/.github/workflows/ossar.yml @@ -1,59 +1,59 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates a collection of open source static analysis tools -# with GitHub code scanning. For documentation, or to provide feedback, visit -# https://github.com/github/ossar-action -name: OSSAR - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '22 3 * * 1' - -permissions: - contents: read - -jobs: - OSSAR-Scan: - # OSSAR runs on windows-latest. - # ubuntu-latest and macos-latest support coming soon - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: windows-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Ensure a compatible version of dotnet is installed. - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. - # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. - # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: - # - name: Install .NET - # uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: '3.1.x' - - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar - - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '22 3 * * 1' + +permissions: + contents: read + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. + # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v2 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/pmd.yml b/.github/workflows/pmd.yml index ecc70d7..b92e7ef 100644 --- a/.github/workflows/pmd.yml +++ b/.github/workflows/pmd.yml @@ -1,46 +1,46 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: pmd - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '15 8 * * 1' - -permissions: - contents: read - -jobs: - pmd-code-scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Set up JDK 11 - uses: actions/setup-java@v3 - with: - java-version: '11' - distribution: 'temurin' - - name: Run PMD - id: pmd - uses: pmd/pmd-github-action@26c0078b0f7ddbdd322f83d28cfd0eaf6985ab6c - with: - rulesets: 'rulesets/java/quickstart.xml' - sourcePath: 'src/main/java' - analyzeModifiedFilesOnly: false - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: pmd-report.sarif - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '15 8 * * 1' + +permissions: + contents: read + +jobs: + pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: '11' + distribution: 'temurin' + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@26c0078b0f7ddbdd322f83d28cfd0eaf6985ab6c + with: + rulesets: 'rulesets/java/quickstart.xml' + sourcePath: 'src/main/java' + analyzeModifiedFilesOnly: false + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: pmd-report.sarif + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/powershell.yml b/.github/workflows/powershell.yml index 528c153..7093036 100644 --- a/.github/workflows/powershell.yml +++ b/.github/workflows/powershell.yml @@ -1,52 +1,52 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# -# https://github.com/microsoft/action-psscriptanalyzer -# For more information on PSScriptAnalyzer in general, see -# https://github.com/PowerShell/PSScriptAnalyzer - -name: PSScriptAnalyzer - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '31 9 * * 3' - -permissions: - contents: read - -jobs: - build: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - name: PSScriptAnalyzer - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - - name: Run PSScriptAnalyzer - uses: microsoft/psscriptanalyzer-action@7a0da25f33985767f15f93140306528900744195 - with: - # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. - # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. - path: .\ - recurse: true - # Include your own basic security rules. Removing this option will run all the rules - includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' - output: results.sarif - - # Upload the SARIF file generated in the previous step - - name: Upload SARIF results file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# https://github.com/microsoft/action-psscriptanalyzer +# For more information on PSScriptAnalyzer in general, see +# https://github.com/PowerShell/PSScriptAnalyzer + +name: PSScriptAnalyzer + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '31 9 * * 3' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: PSScriptAnalyzer + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run PSScriptAnalyzer + uses: microsoft/psscriptanalyzer-action@7a0da25f33985767f15f93140306528900744195 + with: + # Check https://github.com/microsoft/action-psscriptanalyzer for more info about the options. + # The below set up runs PSScriptAnalyzer to your entire repository and runs some basic security rules. + path: .\ + recurse: true + # Include your own basic security rules. Removing this option will run all the rules + includeRule: '"PSAvoidGlobalAliases", "PSAvoidUsingConvertToSecureStringWithPlainText"' + output: results.sarif + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml index 764e519..20e58e9 100644 --- a/.github/workflows/python-app.yml +++ b/.github/workflows/python-app.yml @@ -1,36 +1,36 @@ -# This workflow will install Python dependencies, run tests and lint with a single version of Python -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions - -name: Python application - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - name: Set up Python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install flake8 pytest - if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - - name: Lint with flake8 - run: | - # stop the build if there are Python syntax errors or undefined names - flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics - # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics - - name: Test with pytest - run: | - pytest +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions + +name: Python application + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - name: Set up Python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install flake8 pytest + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: Lint with flake8 + run: | + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + pytest diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml index e5fb460..b9decee 100644 --- a/.github/workflows/rubocop.yml +++ b/.github/workflows/rubocop.yml @@ -1,52 +1,52 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# pulled from repo -name: "Rubocop" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '34 23 * * 6' - -jobs: - rubocop: - runs-on: ubuntu-latest - strategy: - fail-fast: false - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # If running on a self-hosted runner, check it meets the requirements - # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners - - name: Set up Ruby - uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 - with: - ruby-version: 2.6 - - # This step is not necessary if you add the gem to your Gemfile - - name: Install Code Scanning integration - run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install - - - name: Install dependencies - run: bundle install - - - name: Rubocop run - run: | - bash -c " - bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif - [[ $? -ne 2 ]] - " - - - name: Upload Sarif output - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: rubocop.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# pulled from repo +name: "Rubocop" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '34 23 * * 6' + +jobs: + rubocop: + runs-on: ubuntu-latest + strategy: + fail-fast: false + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # If running on a self-hosted runner, check it meets the requirements + # listed at https://github.com/ruby/setup-ruby#using-self-hosted-runners + - name: Set up Ruby + uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 + with: + ruby-version: 2.6 + + # This step is not necessary if you add the gem to your Gemfile + - name: Install Code Scanning integration + run: bundle add code-scanning-rubocop --version 0.3.0 --skip-install + + - name: Install dependencies + run: bundle install + + - name: Rubocop run + run: | + bash -c " + bundle exec rubocop --require code_scanning --format CodeScanning::SarifFormatter -o rubocop.sarif + [[ $? -ne 2 ]] + " + + - name: Upload Sarif output + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: rubocop.sarif diff --git a/.github/workflows/rust-clippy.yml b/.github/workflows/rust-clippy.yml index 6603848..c692045 100644 --- a/.github/workflows/rust-clippy.yml +++ b/.github/workflows/rust-clippy.yml @@ -1,59 +1,59 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# rust-clippy is a tool that runs a bunch of lints to catch common -# mistakes in your Rust code and help improve your Rust code. -# More details at https://github.com/rust-lang/rust-clippy -# and https://rust-lang.github.io/rust-clippy/ - -name: rust-clippy analyze - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '19 8 * * 5' - -jobs: - rust-clippy-analyze: - name: Run rust-clippy analyzing - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Install Rust toolchain - uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 - with: - profile: minimal - toolchain: stable - components: clippy - override: true - - - name: Install required cargo - run: cargo install clippy-sarif sarif-fmt - - - name: Run rust-clippy - run: - cargo clippy - --all-features - --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt - continue-on-error: true - - - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: rust-clippy-results.sarif - wait-for-processing: true - - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# rust-clippy is a tool that runs a bunch of lints to catch common +# mistakes in your Rust code and help improve your Rust code. +# More details at https://github.com/rust-lang/rust-clippy +# and https://rust-lang.github.io/rust-clippy/ + +name: rust-clippy analyze + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '19 8 * * 5' + +jobs: + rust-clippy-analyze: + name: Run rust-clippy analyzing + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install Rust toolchain + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1 + with: + profile: minimal + toolchain: stable + components: clippy + override: true + + - name: Install required cargo + run: cargo install clippy-sarif sarif-fmt + + - name: Run rust-clippy + run: + cargo clippy + --all-features + --message-format=json | clippy-sarif | tee rust-clippy-results.sarif | sarif-fmt + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: rust-clippy-results.sarif + wait-for-processing: true + + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3e77b92..6775364 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,55 +1,55 @@ -name: Scorecards supply-chain security -on: - # Only the default branch is supported. - branch_protection_rule: - schedule: - - cron: '35 8 * * 1' - push: - branches: [ master ] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecards analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - actions: read - contents: read - - steps: - - name: "Checkout code" - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 - with: - results_file: results.sarif - results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). - - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 - with: - sarif_file: results.sarif +name: Scorecards supply-chain security +on: + # Only the default branch is supported. + branch_protection_rule: + schedule: + - cron: '35 8 * * 1' + push: + branches: [ master ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecards analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + actions: read + contents: read + + steps: + - name: "Checkout code" + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + with: + results_file: results.sarif + results_format: sarif + # Read-only PAT token. To create it, + # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. + repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} + # Publish the results to enable scorecard badges. For more details, see + # https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories, `publish_results` will automatically be set to `false`, + # regardless of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@004c5de30b6423267685b897a3d595e944f7fed5 # v2.20.2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/securitycodescan.yml b/.github/workflows/securitycodescan.yml index c47254c..d53247d 100644 --- a/.github/workflows/securitycodescan.yml +++ b/.github/workflows/securitycodescan.yml @@ -1,41 +1,41 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature -# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET - -name: SecurityCodeScan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '35 12 * * 2' - -jobs: - SCS: - runs-on: windows-latest - steps: - - uses: actions/checkout@v3 - - uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f - - uses: microsoft/setup-msbuild@v1.3.1 - - - name: Set up projects for analysis - uses: security-code-scan/security-code-scan-add-action@2439fb4aaeda4ad590a7c8bde327d159d03875fd - - - name: Restore dependencies - run: dotnet restore - - - name: Build - run: dotnet build --no-restore - - - name: Convert sarif for uploading to GitHub - uses: security-code-scan/security-code-scan-results-action@579058214e4be88ce9eea302f1fb74df1b8bc1ed - - - name: Upload sarif - uses: github/codeql-action/upload-sarif@v2 +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow integrates SecurityCodeScan with GitHub's Code Scanning feature +# SecurityCodeScan is a vulnerability patterns detector for C# and VB.NET + +name: SecurityCodeScan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '35 12 * * 2' + +jobs: + SCS: + runs-on: windows-latest + steps: + - uses: actions/checkout@v3 + - uses: nuget/setup-nuget@296fd3ccf8528660c91106efefe2364482f86d6f + - uses: microsoft/setup-msbuild@v1.3.1 + + - name: Set up projects for analysis + uses: security-code-scan/security-code-scan-add-action@2439fb4aaeda4ad590a7c8bde327d159d03875fd + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: dotnet build --no-restore + + - name: Convert sarif for uploading to GitHub + uses: security-code-scan/security-code-scan-results-action@579058214e4be88ce9eea302f1fb74df1b8bc1ed + + - name: Upload sarif + uses: github/codeql-action/upload-sarif@v2 diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index ed26c02..2d6b88a 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,52 +1,52 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow file requires a free account on Semgrep.dev to -# manage rules, file ignores, notifications, and more. -# -# See https://semgrep.dev/docs - -name: Semgrep - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '36 7 * * 3' - -permissions: - contents: read - -jobs: - semgrep: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - name: Scan - runs-on: ubuntu-latest - steps: - # Checkout project source - - uses: actions/checkout@v3 - - # Scan code using project's configuration on https://semgrep.dev/manage - - uses: returntocorp/semgrep-action@316a1751c53ffb6689b8726910e8204ffb591b4f - with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} - publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} - generateSarif: "1" - - # Upload SARIF file generated in previous step - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: semgrep.sarif - if: always() - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow file requires a free account on Semgrep.dev to +# manage rules, file ignores, notifications, and more. +# +# See https://semgrep.dev/docs + +name: Semgrep + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '36 7 * * 3' + +permissions: + contents: read + +jobs: + semgrep: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Scan + runs-on: ubuntu-latest + steps: + # Checkout project source + - uses: actions/checkout@v3 + + # Scan code using project's configuration on https://semgrep.dev/manage + - uses: returntocorp/semgrep-action@316a1751c53ffb6689b8726910e8204ffb591b4f + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: ${{ secrets.SEMGREP_DEPLOYMENT_ID }} + generateSarif: "1" + + # Upload SARIF file generated in previous step + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: semgrep.sarif + if: always() + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/snyk-container.yml index bc3ab94..f40bddf 100644 --- a/.github/workflows/snyk-container.yml +++ b/.github/workflows/snyk-container.yml @@ -1,54 +1,54 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# A sample workflow which checks out the code, builds a container -# image using Docker and scans that image for vulnerabilities using -# Snyk. The results are then uploaded to GitHub Security Code Scanning -# -# For more examples, including how to limit scans to only high-severity -# issues, monitor images for newly disclosed vulnerabilities in Snyk and -# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ - -name: Snyk Container - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '16 1 * * 0' - -permissions: - contents: read - -jobs: - snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Build a Docker image - run: docker build -t your/image-to-test . - - name: Run Snyk to check Docker image for vulnerabilities - # Snyk can be used to break the build when it detects vulnerabilities. - # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true - uses: snyk/actions/docker@87b58602664ec2c1c4fd286e2dcf71f2c5a331d6 - env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - image: your/image-to-test - args: --file=Dockerfile - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out the code, builds a container +# image using Docker and scans that image for vulnerabilities using +# Snyk. The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity +# issues, monitor images for newly disclosed vulnerabilities in Snyk and +# fail PR checks for new vulnerabilities, see https://github.com/snyk/actions/ + +name: Snyk Container + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '16 1 * * 0' + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Build a Docker image + run: docker build -t your/image-to-test . + - name: Run Snyk to check Docker image for vulnerabilities + # Snyk can be used to break the build when it detects vulnerabilities. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/docker@87b58602664ec2c1c4fd286e2dcf71f2c5a331d6 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + image: your/image-to-test + args: --file=Dockerfile + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif diff --git a/.github/workflows/snyk-infrastructure.yml b/.github/workflows/snyk-infrastructure.yml index 10dcd72..c86ff72 100644 --- a/.github/workflows/snyk-infrastructure.yml +++ b/.github/workflows/snyk-infrastructure.yml @@ -1,53 +1,53 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# A sample workflow which checks out your Infrastructure as Code Configuration files, -# such as Kubernetes, Helm & Terraform and scans them for any security issues. -# The results are then uploaded to GitHub Security Code Scanning -# -# For more examples, including how to limit scans to only high-severity issues -# and fail PR checks, see https://github.com/snyk/actions/ - -name: Snyk Infrastructure as Code - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '32 1 * * 6' - -permissions: - contents: read - -jobs: - snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v3 - - name: Run Snyk to check configuration files for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the issues to GitHub Code Scanning - continue-on-error: true - uses: snyk/actions/iac@87b58602664ec2c1c4fd286e2dcf71f2c5a331d6 - env: - # In order to use the Snyk Action you will need to have a Snyk API token. - # More details in https://github.com/snyk/actions#getting-your-snyk-token - # or you can signup for free at https://snyk.io/login - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - with: - # Add the path to the configuration file that you would like to test. - # For example `deployment.yaml` for a Kubernetes deployment manifest - # or `main.tf` for a Terraform configuration file - file: your-file-to-test.yaml - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: snyk.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '32 1 * * 6' + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@87b58602664ec2c1c4fd286e2dcf71f2c5a331d6 + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif diff --git a/.github/workflows/sobelow.yml b/.github/workflows/sobelow.yml index ac0a75b..cbfc298 100644 --- a/.github/workflows/sobelow.yml +++ b/.github/workflows/sobelow.yml @@ -1,40 +1,40 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# -# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ -# -# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. -# -# Instructions: -# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository -# and review the "Security" tab once the action has run. -name: Sobelow - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '45 13 * * 2' - -permissions: - contents: read - -jobs: - security-scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - id: run-action - uses: sobelow/action@85a7af55ecfe77cbecbae704398af72df079165e - - name: Upload report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: results.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/ +# +# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository. +# +# Instructions: +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Security" tab once the action has run. +name: Sobelow + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '45 13 * * 2' + +permissions: + contents: read + +jobs: + security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + - id: run-action + uses: sobelow/action@85a7af55ecfe77cbecbae704398af72df079165e + - name: Upload report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index fcb8a91..72018af 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -1,68 +1,68 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow helps you trigger a SonarCloud analysis of your code and populates -# GitHub Code Scanning alerts with the vulnerabilities found. -# Free for open source project. - -# 1. Login to SonarCloud.io using your GitHub account - -# 2. Import your project on SonarCloud -# * Add your GitHub organization first, then add your repository as a new project. -# * Please note that many languages are eligible for automatic analysis, -# which means that the analysis will start automatically without the need to set up GitHub Actions. -# * This behavior can be changed in Administration > Analysis Method. -# -# 3. Follow the SonarCloud in-product tutorial -# * a. Copy/paste the Project Key and the Organization Key into the args parameter below -# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) -# -# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN -# (On SonarCloud, click on your avatar on top-right > My account > Security -# or go directly to https://sonarcloud.io/account/security/) - -# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) -# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) - -name: SonarCloud analysis - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - workflow_dispatch: - -permissions: - pull-requests: read # allows SonarCloud to decorate PRs with analysis results - -jobs: - Analysis: - runs-on: ubuntu-latest - - steps: - - name: Analyze with SonarCloud - - # You can pin the exact commit or the version. - # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 - uses: SonarSource/sonarcloud-github-action@9c0534dd12d09f22d69fbb301a1955249e49d910 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) - with: - # Additional arguments for the sonarcloud scanner - args: - # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) - # mandatory - -Dsonar.projectKey= - -Dsonar.organization= - # Comma-separated paths to directories containing main source files. - #-Dsonar.sources= # optional, default is project base directory - # When you need the analysis to take place in a directory other than the one from which it was launched - #-Dsonar.projectBaseDir= # optional, default is . - # Comma-separated paths to directories containing test source files. - #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ - # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. - #-Dsonar.verbose= # optional, default is false +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow helps you trigger a SonarCloud analysis of your code and populates +# GitHub Code Scanning alerts with the vulnerabilities found. +# Free for open source project. + +# 1. Login to SonarCloud.io using your GitHub account + +# 2. Import your project on SonarCloud +# * Add your GitHub organization first, then add your repository as a new project. +# * Please note that many languages are eligible for automatic analysis, +# which means that the analysis will start automatically without the need to set up GitHub Actions. +# * This behavior can be changed in Administration > Analysis Method. +# +# 3. Follow the SonarCloud in-product tutorial +# * a. Copy/paste the Project Key and the Organization Key into the args parameter below +# (You'll find this information in SonarCloud. Click on "Information" at the bottom left) +# +# * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN +# (On SonarCloud, click on your avatar on top-right > My account > Security +# or go directly to https://sonarcloud.io/account/security/) + +# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/) +# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9) + +name: SonarCloud analysis + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + workflow_dispatch: + +permissions: + pull-requests: read # allows SonarCloud to decorate PRs with analysis results + +jobs: + Analysis: + runs-on: ubuntu-latest + + steps: + - name: Analyze with SonarCloud + + # You can pin the exact commit or the version. + # uses: SonarSource/sonarcloud-github-action@de2e56b42aa84d0b1c5b622644ac17e505c9a049 + uses: SonarSource/sonarcloud-github-action@9c0534dd12d09f22d69fbb301a1955249e49d910 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret) + with: + # Additional arguments for the sonarcloud scanner + args: + # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) + # mandatory + -Dsonar.projectKey= + -Dsonar.organization= + # Comma-separated paths to directories containing main source files. + #-Dsonar.sources= # optional, default is project base directory + # When you need the analysis to take place in a directory other than the one from which it was launched + #-Dsonar.projectBaseDir= # optional, default is . + # Comma-separated paths to directories containing test source files. + #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ + # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. + #-Dsonar.verbose= # optional, default is false diff --git a/.github/workflows/stackhawk.yml b/.github/workflows/stackhawk.yml index 41e75cd..31cc1e8 100644 --- a/.github/workflows/stackhawk.yml +++ b/.github/workflows/stackhawk.yml @@ -1,67 +1,67 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# 🦅 STACKHAWK https://stackhawk.com - -# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your -# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with -# StackHawk quickly. - -# To use this workflow, you must: -# -# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and -# create your first app and configuration file at https://app.stackhawk.com. -# -# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY. -# -# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory. -# -# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option -# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan -# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42 -# and trigger a Code Scanning alert with a link to your scan results. -# -# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to -# start your service so that it can be scanned with the "Run HawkScan" step. - - -name: "StackHawk" - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '37 21 * * 1' - -permissions: - contents: read - -jobs: - stackhawk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info - name: StackHawk - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Start your service - run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned - - - name: Run HawkScan - uses: stackhawk/hawkscan-action@81fe3cc71a944ab0e47e04bd41e2b42bf2ff7a4b - continue-on-error: true # ✏️ Set to false to break your build on scan errors - with: - apiKey: ${{ secrets.HAWK_API_KEY }} - codeScanningAlerts: true - githubToken: ${{ github.token }} - - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v3 - env: - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# 🦅 STACKHAWK https://stackhawk.com + +# The StackHawk HawkScan action makes it easy to integrate dynamic application security testing (DAST) into your +# CI pipeline. See the Getting Started guide (https://docs.stackhawk.com/hawkscan/) to get up and running with +# StackHawk quickly. + +# To use this workflow, you must: +# +# 1. Create an API Key and Application: Sign up for a free StackHawk account to obtain an API Key and +# create your first app and configuration file at https://app.stackhawk.com. +# +# 2. Save your API Key as a Secret: Save your API key as a GitHub Secret named HAWK_API_KEY. +# +# 3. Add your Config File: Add your stackhawk.yml configuration file to the base of your repository directory. +# +# 4. Set the Scan Failure Threshold: Add the hawk.failureThreshold configuration option +# (https://docs.stackhawk.com/hawkscan/configuration/#hawk) to your stackhawk.yml configuration file. If your scan +# produces alerts that meet or exceed the hawk.failureThreshold alert level, the scan will return exit code 42 +# and trigger a Code Scanning alert with a link to your scan results. +# +# 5. Update the "Start your service" Step: Update the "Start your service" step in the StackHawk workflow below to +# start your service so that it can be scanned with the "Run HawkScan" step. + + +name: "StackHawk" + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '37 21 * * 1' + +permissions: + contents: read + +jobs: + stackhawk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for stackhawk/hawkscan-action to upload code scanning alert info + name: StackHawk + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Start your service + run: ./your-service.sh & # ✏️ Update this to run your own service to be scanned + + - name: Run HawkScan + uses: stackhawk/hawkscan-action@81fe3cc71a944ab0e47e04bd41e2b42bf2ff7a4b + continue-on-error: true # ✏️ Set to false to break your build on scan errors + with: + apiKey: ${{ secrets.HAWK_API_KEY }} + codeScanningAlerts: true + githubToken: ${{ github.token }} + - name: Upload coverage reports to Codecov + uses: codecov/codecov-action@v3 + env: + CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/synopsys-io.yml b/.github/workflows/synopsys-io.yml index 3797e95..f5827df 100644 --- a/.github/workflows/synopsys-io.yml +++ b/.github/workflows/synopsys-io.yml @@ -1,77 +1,77 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Synopsys Intelligent Security Scan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '33 10 * * 4' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - - name: Synopsys Intelligent Security Scan - id: prescription - uses: synopsys-sig/intelligent-security-scan@33c8084571f0ad75fd2f370d7c8d10a021927599 - with: - ioServerUrl: ${{secrets.IO_SERVER_URL}} - ioServerToken: ${{secrets.IO_SERVER_TOKEN}} - workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} - additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} - stage: "IO" - - # Please note that the ID in previous step was set to prescription - # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN - # is defined in settings - - name: Static Analysis with Polaris - if: ${{steps.prescription.outputs.sastScan == 'true' }} - run: | - export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} - export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} - wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip - unzip -j polaris_cli-linux64.zip -d /tmp - /tmp/polaris analyze -w - - # Please note that the ID in previous step was set to prescription - # in order for this logic to work - - name: Software Composition Analysis with Black Duck - if: ${{steps.prescription.outputs.scaScan == 'true' }} - uses: blackducksoftware/github-action@c106efe02c9ec3ba54a319d9da2c5b105a9af4fc - with: - args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' - - - name: Synopsys Intelligent Security Scan - if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} - uses: synopsys-sig/intelligent-security-scan@33c8084571f0ad75fd2f370d7c8d10a021927599 - with: - ioServerUrl: ${{secrets.IO_SERVER_URL}} - ioServerToken: ${{secrets.IO_SERVER_TOKEN}} - workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} - additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} - --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} - --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} - stage: "WORKFLOW" - - - name: Upload SARIF file - if: ${{steps.prescription.outputs.sastScan == 'true' }} - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: workflowengine-results.sarif.json +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Synopsys Intelligent Security Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '33 10 * * 4' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Synopsys Intelligent Security Scan + id: prescription + uses: synopsys-sig/intelligent-security-scan@33c8084571f0ad75fd2f370d7c8d10a021927599 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + stage: "IO" + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work also make sure that POLARIS_ACCESS_TOKEN + # is defined in settings + - name: Static Analysis with Polaris + if: ${{steps.prescription.outputs.sastScan == 'true' }} + run: | + export POLARIS_SERVER_URL=${{ secrets.POLARIS_SERVER_URL}} + export POLARIS_ACCESS_TOKEN=${{ secrets.POLARIS_ACCESS_TOKEN}} + wget -q ${{ secrets.POLARIS_SERVER_URL}}/api/tools/polaris_cli-linux64.zip + unzip -j polaris_cli-linux64.zip -d /tmp + /tmp/polaris analyze -w + + # Please note that the ID in previous step was set to prescription + # in order for this logic to work + - name: Software Composition Analysis with Black Duck + if: ${{steps.prescription.outputs.scaScan == 'true' }} + uses: blackducksoftware/github-action@c106efe02c9ec3ba54a319d9da2c5b105a9af4fc + with: + args: '--blackduck.url="${{ secrets.BLACKDUCK_URL}}" --blackduck.api.token="${{ secrets.BLACKDUCK_TOKEN}}" --detect.tools="SIGNATURE_SCAN,DETECTOR"' + + - name: Synopsys Intelligent Security Scan + if: ${{ steps.prescription.outputs.sastScan == 'true' || steps.prescription.outputs.scaScan == 'true' }} + uses: synopsys-sig/intelligent-security-scan@33c8084571f0ad75fd2f370d7c8d10a021927599 + with: + ioServerUrl: ${{secrets.IO_SERVER_URL}} + ioServerToken: ${{secrets.IO_SERVER_TOKEN}} + workflowServerUrl: ${{secrets.WORKFLOW_SERVER_URL}} + additionalWorkflowArgs: --IS_SAST_ENABLED=${{steps.prescription.outputs.sastScan}} --IS_SCA_ENABLED=${{steps.prescription.outputs.scaScan}} + --polaris.project.name={{PROJECT_NAME}} --polaris.url=${{secrets.POLARIS_SERVER_URL}} --polaris.token=${{secrets.POLARIS_ACCESS_TOKEN}} + --blackduck.project.name={{PROJECT_NAME}}:{{PROJECT_VERSION}} --blackduck.url=${{secrets.BLACKDUCK_URL}} --blackduck.api.token=${{secrets.BLACKDUCK_TOKEN}} + stage: "WORKFLOW" + + - name: Upload SARIF file + if: ${{steps.prescription.outputs.sastScan == 'true' }} + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: workflowengine-results.sarif.json diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 7790ad0..9324c2b 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -1,61 +1,61 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Sysdig - Build, scan, push and upload sarif report - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '18 0 * * 4' - -permissions: - contents: read - -jobs: - - build: - - permissions: - checks: write # for sysdiglabs/scan-action to publish the checks - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v3 - - - name: Build the Docker image - # Tag image to be built - # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below - run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest - - - name: Sysdig Secure Inline Scan - id: scan - uses: sysdiglabs/scan-action@84e4cc594b1ac7eed0f42ddc0609fec175200868 - with: - # Tag of the image to analyse. - # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above - image-tag: ${{ github.repository }}:latest - # API token for Sysdig Scanning auth - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} - # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ - # US-East https://secure.sysdig.com - # US-West https://us2.app.sysdig.com - # EU https://eu1.app.sysdig.com - sysdig-secure-url: https://us2.app.sysdig.com - dockerfile-path: ./Dockerfile - input-type: docker-daemon - ignore-failed-scan: true - # Sysdig inline scanner requires privileged rights - run-as-user: root - - - uses: github/codeql-action/upload-sarif@v2 - #Upload SARIF file - if: always() - with: - sarif_file: ${{ steps.scan.outputs.sarifReport }} +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '18 0 * * 4' + +permissions: + contents: read + +jobs: + + build: + + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@84e4cc594b1ac7eed0f42ddc0609fec175200868 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v2 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} diff --git a/.github/workflows/tencent.yml b/.github/workflows/tencent.yml index 727d77d..478ece7 100644 --- a/.github/workflows/tencent.yml +++ b/.github/workflows/tencent.yml @@ -1,80 +1,80 @@ -# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the master branch. -# -# To configure this workflow: -# -# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, -# including deployment.yml, kustomization.yml, service.yml, etc. -# -# 2. Set up secrets in your workspace: -# - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id -# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key -# - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id -# - TKE_REGISTRY_PASSWORD with TKE registry password -# -# 3. Change the values for the TKE_IMAGE_URL, TKE_REGION, TKE_CLUSTER_ID and DEPLOYMENT_NAME environment variables (below). - -name: Tencent Kubernetes Engine - -on: - push: - branches: - - master - -# Environment variables available to all jobs and steps in this workflow -env: - TKE_IMAGE_URL: ccr.ccs.tencentyun.com/demo/mywebapp - TKE_REGION: ap-guangzhou - TKE_CLUSTER_ID: cls-mywebapp - DEPLOYMENT_NAME: tke-test - -permissions: - contents: read - -jobs: - setup-build-publish-deploy: - name: Setup, Build, Publish, and Deploy - runs-on: ubuntu-latest - environment: production - steps: - - - name: Checkout - uses: actions/checkout@v3 - - # Build - - name: Build Docker image - run: | - docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . - - - name: Login TKE Registry - run: | - docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL} - - # Push the Docker image to TKE Registry - - name: Publish - run: | - docker push ${TKE_IMAGE_URL}:${GITHUB_SHA} - - - name: Set up Kustomize - run: | - curl -o kustomize --location https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 - chmod u+x ./kustomize - - - name: Set up ~/.kube/config for connecting TKE cluster - uses: TencentCloud/tke-cluster-credential-action@v1 - with: - secret_id: ${{ secrets.TENCENT_CLOUD_SECRET_ID }} - secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }} - tke_region: ${{ env.TKE_REGION }} - cluster_id: ${{ env.TKE_CLUSTER_ID }} - - - name: Switch to TKE context - run: | - kubectl config use-context ${TKE_CLUSTER_ID}-context-default - - # Deploy the Docker image to the TKE cluster - - name: Deploy - run: | - ./kustomize edit set image ${TKE_IMAGE_URL}:${GITHUB_SHA} - ./kustomize build . | kubectl apply -f - - kubectl rollout status deployment/${DEPLOYMENT_NAME} - kubectl get services -o wide +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the master branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, +# including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: +# - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id +# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key +# - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id +# - TKE_REGISTRY_PASSWORD with TKE registry password +# +# 3. Change the values for the TKE_IMAGE_URL, TKE_REGION, TKE_CLUSTER_ID and DEPLOYMENT_NAME environment variables (below). + +name: Tencent Kubernetes Engine + +on: + push: + branches: + - master + +# Environment variables available to all jobs and steps in this workflow +env: + TKE_IMAGE_URL: ccr.ccs.tencentyun.com/demo/mywebapp + TKE_REGION: ap-guangzhou + TKE_CLUSTER_ID: cls-mywebapp + DEPLOYMENT_NAME: tke-test + +permissions: + contents: read + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + steps: + + - name: Checkout + uses: actions/checkout@v3 + + # Build + - name: Build Docker image + run: | + docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . + + - name: Login TKE Registry + run: | + docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL} + + # Push the Docker image to TKE Registry + - name: Publish + run: | + docker push ${TKE_IMAGE_URL}:${GITHUB_SHA} + + - name: Set up Kustomize + run: | + curl -o kustomize --location https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + - name: Set up ~/.kube/config for connecting TKE cluster + uses: TencentCloud/tke-cluster-credential-action@v1 + with: + secret_id: ${{ secrets.TENCENT_CLOUD_SECRET_ID }} + secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }} + tke_region: ${{ env.TKE_REGION }} + cluster_id: ${{ env.TKE_CLUSTER_ID }} + + - name: Switch to TKE context + run: | + kubectl config use-context ${TKE_CLUSTER_ID}-context-default + + # Deploy the Docker image to the TKE cluster + - name: Deploy + run: | + ./kustomize edit set image ${TKE_IMAGE_URL}:${GITHUB_SHA} + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/${DEPLOYMENT_NAME} + kubectl get services -o wide diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml index 767c495..72c787e 100644 --- a/.github/workflows/terraform.yml +++ b/.github/workflows/terraform.yml @@ -1,94 +1,94 @@ -# This workflow installs the latest version of Terraform CLI and configures the Terraform CLI configuration file -# with an API token for Terraform Cloud (app.terraform.io). On pull request events, this workflow will run -# `terraform init`, `terraform fmt`, and `terraform plan` (speculative plan via Terraform Cloud). On push events -# to the master branch, `terraform apply` will be executed. -# -# Documentation for `hashicorp/setup-terraform` is located here: https://github.com/hashicorp/setup-terraform -# -# To use this workflow, you will need to complete the following setup steps. -# -# 1. Create a `main.tf` file in the root of this repository with the `remote` backend and one or more resources defined. -# Example `main.tf`: -# # The configuration for the `remote` backend. -# terraform { -# backend "remote" { -# # The name of your Terraform Cloud organization. -# organization = "example-organization" -# -# # The name of the Terraform Cloud workspace to store Terraform state files in. -# workspaces { -# name = "example-workspace" -# } -# } -# } -# -# # An example resource that does nothing. -# resource "null_resource" "example" { -# triggers = { -# value = "A example resource that does nothing!" -# } -# } -# -# -# 2. Generate a Terraform Cloud user API token and store it as a GitHub secret (e.g. TF_API_TOKEN) on this repository. -# Documentation: -# - https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html -# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets -# -# 3. Reference the GitHub secret in step using the `hashicorp/setup-terraform` GitHub Action. -# Example: -# - name: Setup Terraform -# uses: hashicorp/setup-terraform@v1 -# with: -# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - -name: 'Terraform' - -on: - push: - branches: - - master - pull_request: - -permissions: - contents: read - -jobs: - terraform: - name: 'Terraform' - runs-on: ubuntu-latest - environment: production - - # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest - defaults: - run: - shell: bash - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - run: terraform fmt -check - - # Generates an execution plan for Terraform - - name: Terraform Plan - run: terraform plan -input=false - - # On push to master, build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - if: github.ref == 'refs/heads/master' && github.event_name == 'push' - run: terraform apply -auto-approve -input=false +# This workflow installs the latest version of Terraform CLI and configures the Terraform CLI configuration file +# with an API token for Terraform Cloud (app.terraform.io). On pull request events, this workflow will run +# `terraform init`, `terraform fmt`, and `terraform plan` (speculative plan via Terraform Cloud). On push events +# to the master branch, `terraform apply` will be executed. +# +# Documentation for `hashicorp/setup-terraform` is located here: https://github.com/hashicorp/setup-terraform +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a `main.tf` file in the root of this repository with the `remote` backend and one or more resources defined. +# Example `main.tf`: +# # The configuration for the `remote` backend. +# terraform { +# backend "remote" { +# # The name of your Terraform Cloud organization. +# organization = "example-organization" +# +# # The name of the Terraform Cloud workspace to store Terraform state files in. +# workspaces { +# name = "example-workspace" +# } +# } +# } +# +# # An example resource that does nothing. +# resource "null_resource" "example" { +# triggers = { +# value = "A example resource that does nothing!" +# } +# } +# +# +# 2. Generate a Terraform Cloud user API token and store it as a GitHub secret (e.g. TF_API_TOKEN) on this repository. +# Documentation: +# - https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html +# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets +# +# 3. Reference the GitHub secret in step using the `hashicorp/setup-terraform` GitHub Action. +# Example: +# - name: Setup Terraform +# uses: hashicorp/setup-terraform@v1 +# with: +# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + +name: 'Terraform' + +on: + push: + branches: + - master + pull_request: + +permissions: + contents: read + +jobs: + terraform: + name: 'Terraform' + runs-on: ubuntu-latest + environment: production + + # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + defaults: + run: + shell: bash + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Format + run: terraform fmt -check + + # Generates an execution plan for Terraform + - name: Terraform Plan + run: terraform plan -input=false + + # On push to master, build or change infrastructure according to Terraform configuration files + # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + - name: Terraform Apply + if: github.ref == 'refs/heads/master' && github.event_name == 'push' + run: terraform apply -auto-approve -input=false diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml index 538d852..bcc6373 100644 --- a/.github/workflows/tfsec.yml +++ b/.github/workflows/tfsec.yml @@ -1,38 +1,38 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: tfsec - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - schedule: - - cron: '39 23 * * 0' - -jobs: - tfsec: - name: Run tfsec sarif report - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Clone repo - uses: actions/checkout@v3 - - - name: Run tfsec - uses: tfsec/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 - with: - sarif_file: tfsec.sarif - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '39 23 * * 0' + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v3 + + - name: Run tfsec + uses: tfsec/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6546367..35aaeb4 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,47 +1,47 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: build - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '25 11 * * 4' - -permissions: - contents: read - -jobs: - build: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - name: Build - runs-on: "ubuntu-18.04" - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Build an image from Dockerfile - run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 - with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: build + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '25 11 * * 4' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + name: Build + runs-on: "ubuntu-18.04" + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/veracode.yml b/.github/workflows/veracode.yml index f1a81fc..7c71b4d 100644 --- a/.github/workflows/veracode.yml +++ b/.github/workflows/veracode.yml @@ -1,58 +1,58 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert - -name: Veracode Static Analysis Pipeline Scan - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '18 13 * * 1' - -# A workflow run is made up of one or more jobs that can run sequentially or in parallel -permissions: - contents: read - -jobs: - # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter - build-and-pipeline-scan: - # The type of runner that the job will run on - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - steps: - - # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps - - uses: actions/checkout@v3 - with: - repository: '' - - - run: zip -r veracode-scan-target.zip ./ - - # download the Veracode Static Analysis Pipeline scan jar - - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - - run: unzip -o pipeline-scan-LATEST.zip - - - uses: actions/setup-java@v3 - with: - java-version: 8 - distribution: 'temurin' - - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip - continue-on-error: true - - name: Convert pipeline scan output to SARIF format - id: convert - uses: veracode/veracode-pipeline-scan-results-to-sarif@99c541b171135ee0e29d3e5b938f74d88b0c5787 - with: - pipeline-results-json: results.json - - uses: github/codeql-action/upload-sarif@v2 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: veracode-results.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '18 13 * * 1' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v3 + with: + repository: '' + + - run: zip -r veracode-scan-target.zip ./ + + # download the Veracode Static Analysis Pipeline scan jar + - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v3 + with: + java-version: 8 + distribution: 'temurin' + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip + continue-on-error: true + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@99c541b171135ee0e29d3e5b938f74d88b0c5787 + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/.github/workflows/webpack.yml b/.github/workflows/webpack.yml index 20802eb..9385d55 100644 --- a/.github/workflows/webpack.yml +++ b/.github/workflows/webpack.yml @@ -1,28 +1,28 @@ -name: NodeJS with Webpack - -on: - push: - branches: [ master ] - pull_request: - branches: [ master ] - -jobs: - build: - runs-on: ubuntu-latest - - strategy: - matrix: - node-version: [12.x, 14.x, 16.x] - - steps: - - uses: actions/checkout@v3 - - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v3 - with: - node-version: ${{ matrix.node-version }} - - - name: Build - run: | - npm install - npx webpack +name: NodeJS with Webpack + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [12.x, 14.x, 16.x] + + steps: + - uses: actions/checkout@v3 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v3 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + npx webpack diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml index ea58bfd..eb08a9e 100644 --- a/.github/workflows/xanitizer.yml +++ b/.github/workflows/xanitizer.yml @@ -1,99 +1,99 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, -# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. -# -# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action -# -# To use this basic workflow, you will need to complete the following setup steps: -# -# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. -# Licenses are free of charge for open source projects and for educational usage. -# To get more information about the Xanitizer licenses and how to obtain a license file, -# please consult https://www.xanitizer.com/xanitizer-pricing/. -# -# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. -# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. -# -# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. -# Example: -# - name: Xanitizer Security Analysis -# uses: RIGS-IT/xanitizer-action@v1 -# with: -# license: ${{ secrets.XANITIZER_LICENSE }} -# -# 4. As a static application security testing (SAST) tool, -# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. -# So you have to install all used libraries and build your project before running the security analysis, -# e.g. via `mvn compile` for Java or `npm install` for JavaScript - -name: "Xanitizer Security Analysis" - -on: - push: - branches: [ master ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ master ] - schedule: - - cron: '35 6 * * 5' - workflow_dispatch: - -permissions: - contents: read - -jobs: - xanitizer-security-analysis: - # Xanitizer runs on ubuntu-latest and windows-latest. - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - runs-on: ubuntu-latest - - steps: - # Check out the repository - - name: Checkout - uses: actions/checkout@v3 - - # Set up the correct Java version for your project - # Please comment out, if your project does not contain Java source code. - - name: Set up JDK 11 - uses: actions/setup-java@v3 - with: - java-version: 11 - distribution: 'temurin' - - # Compile the code for Java projects and get all libraries, e.g. via Maven - # Please adapt, if your project uses another build system to compile Java source code. - # Please comment out, if your project does not contain Java source code. - - name: Compile Java code - run: mvn -B compile - - # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm - # Please adapt to run `npm install` in the correct directories. - # Please adapt, if your project uses another package manager for getting JavaScript libraries. - # Please comment out, if your project does not use a package manager for getting JavaScript libraries. - - name: Install JavaScript libraries - run: npm install - - # Run the security analysis with default settings - - name: Xanitizer Security Analysis - uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 - with: - license: ${{ secrets.XANITIZER_LICENSE }} - - # Archiving the findings list reports - - uses: actions/upload-artifact@v3 - with: - name: Xanitizer-Reports - path: | - *-Findings-List.pdf - *-Findings-List.sarif - - # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action - - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: Xanitizer-Findings-List.sarif +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '35 6 * * 5' + workflow_dispatch: + +permissions: + contents: read + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v3 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v3 + with: + java-version: 11 + distribution: 'temurin' + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v3 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: Xanitizer-Findings-List.sarif diff --git a/.gitignore b/.gitignore deleted file mode 100644 index b6e4761..0000000 --- a/.gitignore +++ /dev/null @@ -1,129 +0,0 @@ -# Byte-compiled / optimized / DLL files -__pycache__/ -*.py[cod] -*$py.class - -# C extensions -*.so - -# Distribution / packaging -.Python -build/ -develop-eggs/ -dist/ -downloads/ -eggs/ -.eggs/ -lib/ -lib64/ -parts/ -sdist/ -var/ -wheels/ -pip-wheel-metadata/ -share/python-wheels/ -*.egg-info/ -.installed.cfg -*.egg -MANIFEST - -# PyInstaller -# Usually these files are written by a python script from a template -# before PyInstaller builds the exe, so as to inject date/other infos into it. -*.manifest -*.spec - -# Installer logs -pip-log.txt -pip-delete-this-directory.txt - -# Unit test / coverage reports -htmlcov/ -.tox/ -.nox/ -.coverage -.coverage.* -.cache -nosetests.xml -coverage.xml -*.cover -*.py,cover -.hypothesis/ -.pytest_cache/ - -# Translations -*.mo -*.pot - -# Django stuff: -*.log -local_settings.py -db.sqlite3 -db.sqlite3-journal - -# Flask stuff: -instance/ -.webassets-cache - -# Scrapy stuff: -.scrapy - -# Sphinx documentation -docs/_build/ - -# PyBuilder -target/ - -# Jupyter Notebook -.ipynb_checkpoints - -# IPython -profile_default/ -ipython_config.py - -# pyenv -.python-version - -# pipenv -# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. -# However, in case of collaboration, if having platform-specific dependencies or dependencies -# having no cross-platform support, pipenv may install dependencies that don't work, or not -# install all needed dependencies. -#Pipfile.lock - -# PEP 582; used by e.g. github.com/David-OConnor/pyflow -__pypackages__/ - -# Celery stuff -celerybeat-schedule -celerybeat.pid - -# SageMath parsed files -*.sage.py - -# Environments -.env -.venv -env/ -venv/ -ENV/ -env.bak/ -venv.bak/ - -# Spyder project settings -.spyderproject -.spyproject - -# Rope project settings -.ropeproject - -# mkdocs documentation -/site - -# mypy -.mypy_cache/ -.dmypy.json -dmypy.json - -# Pyre type checker -.pyre/ diff --git a/.vs/ProjectSettings.json b/.vs/ProjectSettings.json index f8b4888..866f1e1 100644 --- a/.vs/ProjectSettings.json +++ b/.vs/ProjectSettings.json @@ -1,3 +1,3 @@ -{ - "CurrentProjectSetting": null +{ + "CurrentProjectSetting": null } \ No newline at end of file diff --git a/.whitesource b/.whitesource deleted file mode 100644 index 55b922e..0000000 --- a/.whitesource +++ /dev/null @@ -1,12 +0,0 @@ -{ - "scanSettings": { - "baseBranches": [] - }, - "checkRunSettings": { - "vulnerableCheckRunConclusionLevel": "failure", - "displayMode": "diff" - }, - "issueSettings": { - "minSeverityLevel": "LOW" - } -} \ No newline at end of file diff --git a/Application/.editorconfig b/Application/.editorconfig deleted file mode 100644 index 0f09989..0000000 --- a/Application/.editorconfig +++ /dev/null @@ -1,10 +0,0 @@ -# editorconfig.org -root = true - -[*] -indent_style = space -indent_size = 2 -end_of_line = lf -charset = utf-8 -trim_trailing_whitespace = true -insert_final_newline = true diff --git a/Application/.gitignore b/Application/.gitignore deleted file mode 100644 index a52eaec..0000000 --- a/Application/.gitignore +++ /dev/null @@ -1,118 +0,0 @@ -################################################ -############### .gitignore ################## -################################################ -# -# This file is only relevant if you are using git. -# -# Files which match the splat patterns below will -# be ignored by git. This keeps random crap and -# sensitive credentials from being uploaded to -# your repository. It allows you to configure your -# app for your machine without accidentally -# committing settings which will smash the local -# settings of other developers on your team. -# -# Some reasonable defaults are included below, -# but, of course, you should modify/extend/prune -# to fit your needs! -################################################ - - - - -################################################ -# Local Configuration -# -# Explicitly ignore files which contain: -# -# 1. Sensitive information you'd rather not push to -# your git repository. -# e.g., your personal API keys or passwords. -# -# 2. Environment-specific configuration -# Basically, anything that would be annoying -# to have to change every time you do a -# `git pull` -# e.g., your local development database, or -# the S3 bucket you're using for file uploads -# development. -# -################################################ - -config/local.js - - - - - -################################################ -# Dependencies -# -# When releasing a production app, you may -# consider including your node_modules and -# bower_components directory in your git repo, -# but during development, its best to exclude it, -# since different developers may be working on -# different kernels, where dependencies would -# need to be recompiled anyway. -# -# More on that here about node_modules dir: -# http://www.futurealoof.com/posts/nodemodules-in-git.html -# (credit Mikeal Rogers, @mikeal) -# -# About bower_components dir, you can see this: -# http://addyosmani.com/blog/checking-in-front-end-dependencies/ -# (credit Addy Osmani, @addyosmani) -# -################################################ - -node_modules -bower_components - - - - -################################################ -# Sails.js / Waterline / Grunt -# -# Files generated by Sails and Grunt, or related -# tasks and adapters. -################################################ -.tmp -dump.rdb - - - - - -################################################ -# Node.js / NPM -# -# Common files generated by Node, NPM, and the -# related ecosystem. -################################################ -lib-cov -*.seed -*.log -*.out -*.pid -npm-debug.log - - - - - -################################################ -# Miscellaneous -# -# Common files generated by text editors, -# operating systems, file systems, etc. -################################################ - -*~ -*# -.DS_STORE -.netbeans -nbproject -.idea -.node_history diff --git a/Application/.sailsrc b/Application/.sailsrc deleted file mode 100644 index fa89f5e..0000000 --- a/Application/.sailsrc +++ /dev/null @@ -1,5 +0,0 @@ -{ - "generators": { - "modules": {} - } -} \ No newline at end of file diff --git a/Application/Dockerfile b/Application/Dockerfile deleted file mode 100644 index 9407f6d..0000000 --- a/Application/Dockerfile +++ /dev/null @@ -1,12 +0,0 @@ -FROM node:20.8.1 -LABEL maintainer="Azure App Service Container Images " - -# Create app directory -WORKDIR /app - -# Bundle app source -COPY . . -RUN npm install - -EXPOSE 3000 80 -CMD [ "npm", "start" ] diff --git a/Application/Gruntfile.js b/Application/Gruntfile.js deleted file mode 100644 index 212c569..0000000 --- a/Application/Gruntfile.js +++ /dev/null @@ -1,82 +0,0 @@ -/** - * Gruntfile - * - * This Node script is executed when you run `grunt` or `sails lift`. - * It's purpose is to load the Grunt tasks in your project's `tasks` - * folder, and allow you to add and remove tasks as you see fit. - * For more information on how this works, check out the `README.md` - * file that was generated in your `tasks` folder. - * - * WARNING: - * Unless you know what you're doing, you shouldn't change this file. - * Check out the `tasks` directory instead. - */ - -module.exports = function(grunt) { - - - // Load the include-all library in order to require all of our grunt - // configurations and task registrations dynamically. - var includeAll; - try { - includeAll = require('include-all'); - } catch (e0) { - try { - includeAll = require('sails/node_modules/include-all'); - } catch (e1) { - console.error('Could not find `include-all` module.'); - console.error('Skipping grunt tasks...'); - console.error('To fix this, please run:'); - console.error('npm install include-all --save`'); - console.error(); - - grunt.registerTask('default', []); - return; - } - } - - - /** - * Loads Grunt configuration modules from the specified - * relative path. These modules should export a function - * that, when run, should either load/configure or register - * a Grunt task. - */ - function loadTasks(relPath) { - return includeAll({ - dirname: require('path').resolve(__dirname, relPath), - filter: /(.+)\.js$/, - excludeDirs: /^\.(git|svn)$/ - }) || {}; - } - - /** - * Invokes the function from a Grunt configuration module with - * a single argument - the `grunt` object. - */ - function invokeConfigFn(tasks) { - for (var taskName in tasks) { - if (tasks.hasOwnProperty(taskName)) { - tasks[taskName](grunt); - } - } - } - - - - // Load task functions - var taskConfigurations = loadTasks('./tasks/config'), - registerDefinitions = loadTasks('./tasks/register'); - - // (ensure that a default task exists) - if (!registerDefinitions.default) { - registerDefinitions.default = function(grunt) { - grunt.registerTask('default', []); - }; - } - - // Run task functions to configure Grunt. - invokeConfigFn(taskConfigurations); - invokeConfigFn(registerDefinitions); - -}; diff --git a/Application/api/policies/sessionAuth.js b/Application/api/policies/sessionAuth.js deleted file mode 100644 index 8f9a264..0000000 --- a/Application/api/policies/sessionAuth.js +++ /dev/null @@ -1,21 +0,0 @@ -/** - * sessionAuth - * - * @module :: Policy - * @description :: Simple policy to allow any authenticated user - * Assumes that your login action in one of your controllers sets `req.session.authenticated = true;` - * @docs :: http://sailsjs.org/#!/documentation/concepts/Policies - * - */ -module.exports = function(req, res, next) { - - // User is allowed, proceed to the next policy, - // or if this is the last policy, the controller - if (req.session.authenticated) { - return next(); - } - - // User is not allowed - // (default res.forbidden() behavior can be overridden in `config/403.js`) - return res.forbidden('You are not permitted to perform this action.'); -}; diff --git a/Application/api/responses/badRequest.js b/Application/api/responses/badRequest.js deleted file mode 100644 index 4eb96aa..0000000 --- a/Application/api/responses/badRequest.js +++ /dev/null @@ -1,76 +0,0 @@ -/** - * 400 (Bad Request) Handler - * - * Usage: - * return res.badRequest(); - * return res.badRequest(data); - * return res.badRequest(data, 'some/specific/badRequest/view'); - * - * e.g.: - * ``` - * return res.badRequest( - * 'Please choose a valid `password` (6-12 characters)', - * 'trial/signup' - * ); - * ``` - */ - -module.exports = function badRequest(data, options) { - - // Get access to `req`, `res`, & `sails` - var req = this.req; - var res = this.res; - var sails = req._sails; - - // Set status code - res.status(400); - - // Log error to console - if (data !== undefined) { - sails.log.verbose('Sending 400 ("Bad Request") response: \n',data); - } - else sails.log.verbose('Sending 400 ("Bad Request") response'); - - // Only include errors in response if application environment - // is not set to 'production'. In production, we shouldn't - // send back any identifying information about errors. - if (sails.config.environment === 'production' && sails.config.keepResponseErrors !== true) { - data = undefined; - } - - // If the user-agent wants JSON, always respond with JSON - // If views are disabled, revert to json - if (req.wantsJSON || sails.config.hooks.views === false) { - return res.jsonx(data); - } - - // If second argument is a string, we take that to mean it refers to a view. - // If it was omitted, use an empty object (`{}`) - options = (typeof options === 'string') ? { view: options } : options || {}; - - // Attempt to prettify data for views, if it's a non-error object - var viewData = data; - if (!(viewData instanceof Error) && typeof viewData == 'object') { - try { - viewData = require('util').inspect(data, {depth: null}); - } - catch(e) { - viewData = undefined; - } - } - - // If a view was provided in options, serve it. - // Otherwise try to guess an appropriate view, or if that doesn't - // work, just send JSON. - if (options.view) { - return res.view(options.view, { data: viewData, title: 'Bad Request' }); - } - - // If no second argument provided, try to serve the implied view, - // but fall back to sending JSON(P) if no view can be inferred. - else return res.guessView({ data: viewData, title: 'Bad Request' }, function couldNotGuessView () { - return res.jsonx(data); - }); - -}; - diff --git a/Application/api/responses/created.js b/Application/api/responses/created.js deleted file mode 100644 index 17ca6d4..0000000 --- a/Application/api/responses/created.js +++ /dev/null @@ -1,60 +0,0 @@ -/** - * 201 (CREATED) Response - * - * Usage: - * return res.created(); - * return res.created(data); - * return res.created(data, 'auth/login'); - * - * @param {Object} data - * @param {String|Object} options - * - pass string to render specified view - */ - -module.exports = function created (data, options) { - - // Get access to `req`, `res`, & `sails` - var req = this.req; - var res = this.res; - var sails = req._sails; - - sails.log.silly('res.created() :: Sending 201 ("CREATED") response'); - - // Set status code - res.status(201); - - // If appropriate, serve data as JSON(P) - // If views are disabled, revert to json - if (req.wantsJSON || sails.config.hooks.views === false) { - return res.jsonx(data); - } - - // If second argument is a string, we take that to mean it refers to a view. - // If it was omitted, use an empty object (`{}`) - options = (typeof options === 'string') ? { view: options } : options || {}; - - // Attempt to prettify data for views, if it's a non-error object - var viewData = data; - if (!(viewData instanceof Error) && typeof viewData == 'object') { - try { - viewData = require('util').inspect(data, {depth: null}); - } - catch(e) { - viewData = undefined; - } - } - - // If a view was provided in options, serve it. - // Otherwise try to guess an appropriate view, or if that doesn't - // work, just send JSON. - if (options.view) { - return res.view(options.view, { data: viewData, title: 'Created' }); - } - - // If no second argument provided, try to serve the implied view, - // but fall back to sending JSON(P) if no view can be inferred. - else return res.guessView({ data: viewData, title: 'Created' }, function couldNotGuessView () { - return res.jsonx(data); - }); - -}; diff --git a/Application/api/responses/forbidden.js b/Application/api/responses/forbidden.js deleted file mode 100644 index 6b55e42..0000000 --- a/Application/api/responses/forbidden.js +++ /dev/null @@ -1,89 +0,0 @@ -/** - * 403 (Forbidden) Handler - * - * Usage: - * return res.forbidden(); - * return res.forbidden(err); - * return res.forbidden(err, 'some/specific/forbidden/view'); - * - * e.g.: - * ``` - * return res.forbidden('Access denied.'); - * ``` - */ - -module.exports = function forbidden (data, options) { - - // Get access to `req`, `res`, & `sails` - var req = this.req; - var res = this.res; - var sails = req._sails; - - // Set status code - res.status(403); - - // Log error to console - if (data !== undefined) { - sails.log.verbose('Sending 403 ("Forbidden") response: \n',data); - } - else sails.log.verbose('Sending 403 ("Forbidden") response'); - - // Only include errors in response if application environment - // is not set to 'production'. In production, we shouldn't - // send back any identifying information about errors. - if (sails.config.environment === 'production' && sails.config.keepResponseErrors !== true) { - data = undefined; - } - - // If the user-agent wants JSON, always respond with JSON - // If views are disabled, revert to json - if (req.wantsJSON || sails.config.hooks.views === false) { - return res.jsonx(data); - } - - // If second argument is a string, we take that to mean it refers to a view. - // If it was omitted, use an empty object (`{}`) - options = (typeof options === 'string') ? { view: options } : options || {}; - - // Attempt to prettify data for views, if it's a non-error object - var viewData = data; - if (!(viewData instanceof Error) && typeof viewData == 'object') { - try { - viewData = require('util').inspect(data, {depth: null}); - } - catch(e) { - viewData = undefined; - } - } - - // If a view was provided in options, serve it. - // Otherwise try to guess an appropriate view, or if that doesn't - // work, just send JSON. - if (options.view) { - return res.view(options.view, { data: viewData, title: 'Forbidden' }); - } - - // If no second argument provided, try to serve the default view, - // but fall back to sending JSON(P) if any errors occur. - else return res.view('403', { data: viewData, title: 'Forbidden' }, function (err, html) { - - // If a view error occured, fall back to JSON(P). - if (err) { - // - // Additionally: - // • If the view was missing, ignore the error but provide a verbose log. - if (err.code === 'E_VIEW_FAILED') { - sails.log.verbose('res.forbidden() :: Could not locate view for error page (sending JSON instead). Details: ',err); - } - // Otherwise, if this was a more serious error, log to the console with the details. - else { - sails.log.warn('res.forbidden() :: When attempting to render error page view, an error occured (sending JSON instead). Details: ', err); - } - return res.jsonx(data); - } - - return res.send(html); - }); - -}; - diff --git a/Application/api/responses/notFound.js b/Application/api/responses/notFound.js deleted file mode 100644 index 96ab002..0000000 --- a/Application/api/responses/notFound.js +++ /dev/null @@ -1,94 +0,0 @@ -/** - * 404 (Not Found) Handler - * - * Usage: - * return res.notFound(); - * return res.notFound(err); - * return res.notFound(err, 'some/specific/notfound/view'); - * - * e.g.: - * ``` - * return res.notFound(); - * ``` - * - * NOTE: - * If a request doesn't match any explicit routes (i.e. `config/routes.js`) - * or route blueprints (i.e. "shadow routes", Sails will call `res.notFound()` - * automatically. - */ - -module.exports = function notFound (data, options) { - - // Get access to `req`, `res`, & `sails` - var req = this.req; - var res = this.res; - var sails = req._sails; - - // Set status code - res.status(404); - - // Log error to console - if (data !== undefined) { - sails.log.verbose('Sending 404 ("Not Found") response: \n',data); - } - else sails.log.verbose('Sending 404 ("Not Found") response'); - - // Only include errors in response if application environment - // is not set to 'production'. In production, we shouldn't - // send back any identifying information about errors. - if (sails.config.environment === 'production' && sails.config.keepResponseErrors !== true) { - data = undefined; - } - - // If the user-agent wants JSON, always respond with JSON - // If views are disabled, revert to json - if (req.wantsJSON || sails.config.hooks.views === false) { - return res.jsonx(data); - } - - // If second argument is a string, we take that to mean it refers to a view. - // If it was omitted, use an empty object (`{}`) - options = (typeof options === 'string') ? { view: options } : options || {}; - - // Attempt to prettify data for views, if it's a non-error object - var viewData = data; - if (!(viewData instanceof Error) && typeof viewData == 'object') { - try { - viewData = require('util').inspect(data, {depth: null}); - } - catch(e) { - viewData = undefined; - } - } - - // If a view was provided in options, serve it. - // Otherwise try to guess an appropriate view, or if that doesn't - // work, just send JSON. - if (options.view) { - return res.view(options.view, { data: viewData, title: 'Not Found' }); - } - - // If no second argument provided, try to serve the default view, - // but fall back to sending JSON(P) if any errors occur. - else return res.view('404', { data: viewData, title: 'Not Found' }, function (err, html) { - - // If a view error occured, fall back to JSON(P). - if (err) { - // - // Additionally: - // • If the view was missing, ignore the error but provide a verbose log. - if (err.code === 'E_VIEW_FAILED') { - sails.log.verbose('res.notFound() :: Could not locate view for error page (sending JSON instead). Details: ',err); - } - // Otherwise, if this was a more serious error, log to the console with the details. - else { - sails.log.warn('res.notFound() :: When attempting to render error page view, an error occured (sending JSON instead). Details: ', err); - } - return res.jsonx(data); - } - - return res.send(html); - }); - -}; - diff --git a/Application/api/responses/ok.js b/Application/api/responses/ok.js deleted file mode 100644 index cedb33b..0000000 --- a/Application/api/responses/ok.js +++ /dev/null @@ -1,60 +0,0 @@ -/** - * 200 (OK) Response - * - * Usage: - * return res.ok(); - * return res.ok(data); - * return res.ok(data, 'auth/login'); - * - * @param {Object} data - * @param {String|Object} options - * - pass string to render specified view - */ - -module.exports = function sendOK (data, options) { - - // Get access to `req`, `res`, & `sails` - var req = this.req; - var res = this.res; - var sails = req._sails; - - sails.log.silly('res.ok() :: Sending 200 ("OK") response'); - - // Set status code - res.status(200); - - // If appropriate, serve data as JSON(P) - // If views are disabled, revert to json - if (req.wantsJSON || sails.config.hooks.views === false) { - return res.jsonx(data); - } - - // If second argument is a string, we take that to mean it refers to a view. - // If it was omitted, use an empty object (`{}`) - options = (typeof options === 'string') ? { view: options } : options || {}; - - // Attempt to prettify data for views, if it's a non-error object - var viewData = data; - if (!(viewData instanceof Error) && typeof viewData == 'object') { - try { - viewData = require('util').inspect(data, {depth: null}); - } - catch(e) { - viewData = undefined; - } - } - - // If a view was provided in options, serve it. - // Otherwise try to guess an appropriate view, or if that doesn't - // work, just send JSON. - if (options.view) { - return res.view(options.view, { data: viewData, title: 'OK' }); - } - - // If no second argument provided, try to serve the implied view, - // but fall back to sending JSON(P) if no view can be inferred. - else return res.guessView({ data: viewData, title: 'OK' }, function couldNotGuessView () { - return res.jsonx(data); - }); - -}; diff --git a/Application/api/responses/serverError.js b/Application/api/responses/serverError.js deleted file mode 100644 index 202df28..0000000 --- a/Application/api/responses/serverError.js +++ /dev/null @@ -1,89 +0,0 @@ -/** - * 500 (Server Error) Response - * - * Usage: - * return res.serverError(); - * return res.serverError(err); - * return res.serverError(err, 'some/specific/error/view'); - * - * NOTE: - * If something throws in a policy or controller, or an internal - * error is encountered, Sails will call `res.serverError()` - * automatically. - */ - -module.exports = function serverError (data, options) { - - // Get access to `req`, `res`, & `sails` - var req = this.req; - var res = this.res; - var sails = req._sails; - - // Set status code - res.status(500); - - // Log error to console - if (data !== undefined) { - sails.log.error('Sending 500 ("Server Error") response: \n',data); - } - else sails.log.error('Sending empty 500 ("Server Error") response'); - - // Only include errors in response if application environment - // is not set to 'production'. In production, we shouldn't - // send back any identifying information about errors. - if (sails.config.environment === 'production' && sails.config.keepResponseErrors !== true) { - data = undefined; - } - - // If the user-agent wants JSON, always respond with JSON - // If views are disabled, revert to json - if (req.wantsJSON || sails.config.hooks.views === false) { - return res.jsonx(data); - } - - // If second argument is a string, we take that to mean it refers to a view. - // If it was omitted, use an empty object (`{}`) - options = (typeof options === 'string') ? { view: options } : options || {}; - - // Attempt to prettify data for views, if it's a non-error object - var viewData = data; - if (!(viewData instanceof Error) && typeof viewData == 'object') { - try { - viewData = require('util').inspect(data, {depth: null}); - } - catch(e) { - viewData = undefined; - } - } - - // If a view was provided in options, serve it. - // Otherwise try to guess an appropriate view, or if that doesn't - // work, just send JSON. - if (options.view) { - return res.view(options.view, { data: viewData, title: 'Server Error' }); - } - - // If no second argument provided, try to serve the default view, - // but fall back to sending JSON(P) if any errors occur. - else return res.view('500', { data: viewData, title: 'Server Error' }, function (err, html) { - - // If a view error occured, fall back to JSON(P). - if (err) { - // - // Additionally: - // • If the view was missing, ignore the error but provide a verbose log. - if (err.code === 'E_VIEW_FAILED') { - sails.log.verbose('res.serverError() :: Could not locate view for error page (sending JSON instead). Details: ',err); - } - // Otherwise, if this was a more serious error, log to the console with the details. - else { - sails.log.warn('res.serverError() :: When attempting to render error page view, an error occured (sending JSON instead). Details: ', err); - } - return res.jsonx(data); - } - - return res.send(html); - }); - -}; - diff --git a/Application/app.js b/Application/app.js deleted file mode 100644 index 94527cd..0000000 --- a/Application/app.js +++ /dev/null @@ -1,69 +0,0 @@ -/** - * app.js - * - * Use `app.js` to run your app without `sails lift`. - * To start the server, run: `node app.js`. - * - * This is handy in situations where the sails CLI is not relevant or useful. - * - * For example: - * => `node app.js` - * => `forever start app.js` - * => `node debug app.js` - * => `modulus deploy` - * => `heroku scale` - * - * - * The same command-line arguments are supported, e.g.: - * `node app.js --silent --port=80 --prod` - */ - - -// Ensure we're in the project directory, so cwd-relative paths work as expected -// no matter where we actually lift from. -// > Note: This is not required in order to lift, but it is a convenient default. -process.chdir(__dirname); - -// Attempt to import `sails`. -var sails; -//const appInsights = require('applicationinsights'); -//appInsights.setup(); - - -try { - sails = require('sails'); -} catch (e) { - console.error('To run an app using `node app.js`, you usually need to have a version of `sails` installed in the same directory as your app.'); - console.error('To do that, run `npm install sails`'); - console.error(''); - console.error('Alternatively, if you have sails installed globally (i.e. you did `npm install -g sails`), you can use `sails lift`.'); - console.error('When you run `sails lift`, your app will still use a local `./node_modules/sails` dependency if it exists,'); - console.error('but if it doesn\'t, the app will run with the global sails instead!'); - return; -} - -// --• -// Try to get `rc` dependency (for loading `.sailsrc` files). -var rc; -try { - rc = require('rc'); -} catch (e0) { - try { - rc = require('sails/node_modules/rc'); - } catch (e1) { - console.error('Could not find dependency: `rc`.'); - console.error('Your `.sailsrc` file(s) will be ignored.'); - console.error('To resolve this, run:'); - console.error('npm install rc --save'); - rc = function () { return {}; }; - } -} - -var appInsights = require('applicationinsights'); -if(process.env.NODE_ENV == "production"){ - appInsights.setup(); - appInsights.start(); -} - -// Start server -sails.lift(rc('sails')); diff --git a/Application/assets/favicon.ico b/Application/assets/favicon.ico deleted file mode 100644 index 0092ec9..0000000 Binary files a/Application/assets/favicon.ico and /dev/null differ diff --git a/Application/assets/fonts/segoeuil.ttf b/Application/assets/fonts/segoeuil.ttf deleted file mode 100644 index 53edf71..0000000 Binary files a/Application/assets/fonts/segoeuil.ttf and /dev/null differ diff --git a/Application/assets/images/cloneWhite.svg b/Application/assets/images/cloneWhite.svg deleted file mode 100644 index 5ab997f..0000000 --- a/Application/assets/images/cloneWhite.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Application/assets/images/deployWhite.svg b/Application/assets/images/deployWhite.svg deleted file mode 100644 index 7ceb211..0000000 --- a/Application/assets/images/deployWhite.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Application/assets/images/lightbulbWhite.svg b/Application/assets/images/lightbulbWhite.svg deleted file mode 100644 index c1fef37..0000000 --- a/Application/assets/images/lightbulbWhite.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Application/assets/images/stackWhite.svg b/Application/assets/images/stackWhite.svg deleted file mode 100644 index 6ba1209..0000000 --- a/Application/assets/images/stackWhite.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Application/assets/images/successCloudNew.svg b/Application/assets/images/successCloudNew.svg deleted file mode 100644 index 18759d8..0000000 --- a/Application/assets/images/successCloudNew.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Application/assets/images/tweetThis.svg b/Application/assets/images/tweetThis.svg deleted file mode 100644 index 0645220..0000000 --- a/Application/assets/images/tweetThis.svg +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/Application/assets/js/dependencies/sails.io.js b/Application/assets/js/dependencies/sails.io.js deleted file mode 100644 index 653a079..0000000 --- a/Application/assets/js/dependencies/sails.io.js +++ /dev/null @@ -1,1528 +0,0 @@ -/** - * To use sails.io.js in an AMD environment (e.g. with require.js), - * replace this file with the sails.io.js file from the root of: - * https://github.com/balderdashy/sails.io.js - * and download a standalone copy of socket.io-client from: - * https://github.com/socketio/socket.io-client - * then follow the instructions at: - * https://github.com/balderdashy/sails.io.js#requirejsamd-usage - */ - -// socket.io-client version 1.4.4 -// https://github.com/socketio/socket.io-client - -!function(a){if("object"==typeof exports&&"undefined"!=typeof module)module.exports=a();else if("function"==typeof define&&define.amd)define([],a);else{var b;b="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:this,b.io=a()}}(function(){var a;return function b(a,c,d){function e(g,h){if(!c[g]){if(!a[g]){var i="function"==typeof require&&require;if(!h&&i)return i(g,!0);if(f)return f(g,!0);var j=new Error("Cannot find module '"+g+"'");throw j.code="MODULE_NOT_FOUND",j}var k=c[g]={exports:{}};a[g][0].call(k.exports,function(b){var c=a[g][1][b];return e(c?c:b)},k,k.exports,b,a,c,d)}return c[g].exports}for(var f="function"==typeof require&&require,g=0;g0&&(this.extraHeaders=b.extraHeaders),this.open()}function e(a){var b={};for(var c in a)a.hasOwnProperty(c)&&(b[c]=a[c]);return b}var f=a("./transports"),g=a("component-emitter"),h=a("debug")("engine.io-client:socket"),i=a("indexof"),j=a("engine.io-parser"),k=a("parseuri"),l=a("parsejson"),m=a("parseqs");b.exports=d,d.priorWebsocketSuccess=!1,g(d.prototype),d.protocol=j.protocol,d.Socket=d,d.Transport=a("./transport"),d.transports=a("./transports"),d.parser=a("engine.io-parser"),d.prototype.createTransport=function(a){h('creating transport "%s"',a);var b=e(this.query);b.EIO=j.protocol,b.transport=a,this.id&&(b.sid=this.id);var c=new f[a]({agent:this.agent,hostname:this.hostname,port:this.port,secure:this.secure,path:this.path,query:b,forceJSONP:this.forceJSONP,jsonp:this.jsonp,forceBase64:this.forceBase64,enablesXDR:this.enablesXDR,timestampRequests:this.timestampRequests,timestampParam:this.timestampParam,policyPort:this.policyPort,socket:this,pfx:this.pfx,key:this.key,passphrase:this.passphrase,cert:this.cert,ca:this.ca,ciphers:this.ciphers,rejectUnauthorized:this.rejectUnauthorized,perMessageDeflate:this.perMessageDeflate,extraHeaders:this.extraHeaders});return c},d.prototype.open=function(){var a;if(this.rememberUpgrade&&d.priorWebsocketSuccess&&-1!=this.transports.indexOf("websocket"))a="websocket";else{if(0===this.transports.length){var b=this;return void setTimeout(function(){b.emit("error","No transports available")},0)}a=this.transports[0]}this.readyState="opening";try{a=this.createTransport(a)}catch(c){return this.transports.shift(),void this.open()}a.open(),this.setTransport(a)},d.prototype.setTransport=function(a){h("setting transport %s",a.name);var b=this;this.transport&&(h("clearing existing transport %s",this.transport.name),this.transport.removeAllListeners()),this.transport=a,a.on("drain",function(){b.onDrain()}).on("packet",function(a){b.onPacket(a)}).on("error",function(a){b.onError(a)}).on("close",function(){b.onClose("transport close")})},d.prototype.probe=function(a){function b(){if(m.onlyBinaryUpgrades){var b=!this.supportsBinary&&m.transport.supportsBinary;l=l||b}l||(h('probe transport "%s" opened',a),k.send([{type:"ping",data:"probe"}]),k.once("packet",function(b){if(!l)if("pong"==b.type&&"probe"==b.data){if(h('probe transport "%s" pong',a),m.upgrading=!0,m.emit("upgrading",k),!k)return;d.priorWebsocketSuccess="websocket"==k.name,h('pausing current transport "%s"',m.transport.name),m.transport.pause(function(){l||"closed"!=m.readyState&&(h("changing transport and sending upgrade packet"),j(),m.setTransport(k),k.send([{type:"upgrade"}]),m.emit("upgrade",k),k=null,m.upgrading=!1,m.flush())})}else{h('probe transport "%s" failed',a);var c=new Error("probe error");c.transport=k.name,m.emit("upgradeError",c)}}))}function c(){l||(l=!0,j(),k.close(),k=null)}function e(b){var d=new Error("probe error: "+b);d.transport=k.name,c(),h('probe transport "%s" failed because of error: %s',a,b),m.emit("upgradeError",d)}function f(){e("transport closed")}function g(){e("socket closed")}function i(a){k&&a.name!=k.name&&(h('"%s" works - aborting "%s"',a.name,k.name),c())}function j(){k.removeListener("open",b),k.removeListener("error",e),k.removeListener("close",f),m.removeListener("close",g),m.removeListener("upgrading",i)}h('probing transport "%s"',a);var k=this.createTransport(a,{probe:1}),l=!1,m=this;d.priorWebsocketSuccess=!1,k.once("open",b),k.once("error",e),k.once("close",f),this.once("close",g),this.once("upgrading",i),k.open()},d.prototype.onOpen=function(){if(h("socket open"),this.readyState="open",d.priorWebsocketSuccess="websocket"==this.transport.name,this.emit("open"),this.flush(),"open"==this.readyState&&this.upgrade&&this.transport.pause){h("starting upgrade probes");for(var a=0,b=this.upgrades.length;b>a;a++)this.probe(this.upgrades[a])}},d.prototype.onPacket=function(a){if("opening"==this.readyState||"open"==this.readyState)switch(h('socket receive: type "%s", data "%s"',a.type,a.data),this.emit("packet",a),this.emit("heartbeat"),a.type){case"open":this.onHandshake(l(a.data));break;case"pong":this.setPing(),this.emit("pong");break;case"error":var b=new Error("server error");b.code=a.data,this.onError(b);break;case"message":this.emit("data",a.data),this.emit("message",a.data)}else h('packet received with socket readyState "%s"',this.readyState)},d.prototype.onHandshake=function(a){this.emit("handshake",a),this.id=a.sid,this.transport.query.sid=a.sid,this.upgrades=this.filterUpgrades(a.upgrades),this.pingInterval=a.pingInterval,this.pingTimeout=a.pingTimeout,this.onOpen(),"closed"!=this.readyState&&(this.setPing(),this.removeListener("heartbeat",this.onHeartbeat),this.on("heartbeat",this.onHeartbeat))},d.prototype.onHeartbeat=function(a){clearTimeout(this.pingTimeoutTimer);var b=this;b.pingTimeoutTimer=setTimeout(function(){"closed"!=b.readyState&&b.onClose("ping timeout")},a||b.pingInterval+b.pingTimeout)},d.prototype.setPing=function(){var a=this;clearTimeout(a.pingIntervalTimer),a.pingIntervalTimer=setTimeout(function(){h("writing ping packet - expecting pong within %sms",a.pingTimeout),a.ping(),a.onHeartbeat(a.pingTimeout)},a.pingInterval)},d.prototype.ping=function(){var a=this;this.sendPacket("ping",function(){a.emit("ping")})},d.prototype.onDrain=function(){this.writeBuffer.splice(0,this.prevBufferLen),this.prevBufferLen=0,0===this.writeBuffer.length?this.emit("drain"):this.flush()},d.prototype.flush=function(){"closed"!=this.readyState&&this.transport.writable&&!this.upgrading&&this.writeBuffer.length&&(h("flushing %d packets in socket",this.writeBuffer.length),this.transport.send(this.writeBuffer),this.prevBufferLen=this.writeBuffer.length,this.emit("flush"))},d.prototype.write=d.prototype.send=function(a,b,c){return this.sendPacket("message",a,b,c),this},d.prototype.sendPacket=function(a,b,c,d){if("function"==typeof b&&(d=b,b=void 0),"function"==typeof c&&(d=c,c=null),"closing"!=this.readyState&&"closed"!=this.readyState){c=c||{},c.compress=!1!==c.compress;var e={type:a,data:b,options:c};this.emit("packetCreate",e),this.writeBuffer.push(e),d&&this.once("flush",d),this.flush()}},d.prototype.close=function(){function a(){d.onClose("forced close"),h("socket closing - telling transport to close"),d.transport.close()}function b(){d.removeListener("upgrade",b),d.removeListener("upgradeError",b),a()}function c(){d.once("upgrade",b),d.once("upgradeError",b)}if("opening"==this.readyState||"open"==this.readyState){this.readyState="closing";var d=this;this.writeBuffer.length?this.once("drain",function(){this.upgrading?c():a()}):this.upgrading?c():a()}return this},d.prototype.onError=function(a){h("socket error %j",a),d.priorWebsocketSuccess=!1,this.emit("error",a),this.onClose("transport error",a)},d.prototype.onClose=function(a,b){if("opening"==this.readyState||"open"==this.readyState||"closing"==this.readyState){h('socket close with reason: "%s"',a);var c=this;clearTimeout(this.pingIntervalTimer),clearTimeout(this.pingTimeoutTimer),this.transport.removeAllListeners("close"),this.transport.close(),this.transport.removeAllListeners(),this.readyState="closed",this.id=null,this.emit("close",a,b),c.writeBuffer=[],c.prevBufferLen=0}},d.prototype.filterUpgrades=function(a){for(var b=[],c=0,d=a.length;d>c;c++)~i(this.transports,a[c])&&b.push(a[c]);return b}}).call(this,"undefined"!=typeof self?self:"undefined"!=typeof window?window:"undefined"!=typeof global?global:{})},{"./transport":4,"./transports":5,"component-emitter":15,debug:17,"engine.io-parser":19,indexof:23,parsejson:26,parseqs:27,parseuri:28}],4:[function(a,b,c){function d(a){this.path=a.path,this.hostname=a.hostname,this.port=a.port,this.secure=a.secure,this.query=a.query,this.timestampParam=a.timestampParam,this.timestampRequests=a.timestampRequests,this.readyState="",this.agent=a.agent||!1,this.socket=a.socket,this.enablesXDR=a.enablesXDR,this.pfx=a.pfx,this.key=a.key,this.passphrase=a.passphrase,this.cert=a.cert,this.ca=a.ca,this.ciphers=a.ciphers,this.rejectUnauthorized=a.rejectUnauthorized,this.extraHeaders=a.extraHeaders}var e=a("engine.io-parser"),f=a("component-emitter");b.exports=d,f(d.prototype),d.prototype.onError=function(a,b){var c=new Error(a);return c.type="TransportError",c.description=b,this.emit("error",c),this},d.prototype.open=function(){return("closed"==this.readyState||""==this.readyState)&&(this.readyState="opening",this.doOpen()),this},d.prototype.close=function(){return("opening"==this.readyState||"open"==this.readyState)&&(this.doClose(),this.onClose()),this},d.prototype.send=function(a){if("open"!=this.readyState)throw new Error("Transport not open");this.write(a)},d.prototype.onOpen=function(){this.readyState="open",this.writable=!0,this.emit("open")},d.prototype.onData=function(a){var b=e.decodePacket(a,this.socket.binaryType);this.onPacket(b)},d.prototype.onPacket=function(a){this.emit("packet",a)},d.prototype.onClose=function(){this.readyState="closed",this.emit("close")}},{"component-emitter":15,"engine.io-parser":19}],5:[function(a,b,c){(function(b){function d(a){var c,d=!1,h=!1,i=!1!==a.jsonp;if(b.location){var j="https:"==location.protocol,k=location.port;k||(k=j?443:80),d=a.hostname!=location.hostname||k!=a.port,h=a.secure!=j}if(a.xdomain=d,a.xscheme=h,c=new e(a),"open"in c&&!a.forceJSONP)return new f(a);if(!i)throw new Error("JSONP disabled");return new g(a)}var e=a("xmlhttprequest-ssl"),f=a("./polling-xhr"),g=a("./polling-jsonp"),h=a("./websocket");c.polling=d,c.websocket=h}).call(this,"undefined"!=typeof self?self:"undefined"!=typeof window?window:"undefined"!=typeof global?global:{})},{"./polling-jsonp":6,"./polling-xhr":7,"./websocket":9,"xmlhttprequest-ssl":10}],6:[function(a,b,c){(function(c){function d(){}function e(a){f.call(this,a),this.query=this.query||{},h||(c.___eio||(c.___eio=[]),h=c.___eio),this.index=h.length;var b=this;h.push(function(a){b.onData(a)}),this.query.j=this.index,c.document&&c.addEventListener&&c.addEventListener("beforeunload",function(){b.script&&(b.script.onerror=d)},!1)}var f=a("./polling"),g=a("component-inherit");b.exports=e;var h,i=/\n/g,j=/\\n/g;g(e,f),e.prototype.supportsBinary=!1,e.prototype.doClose=function(){this.script&&(this.script.parentNode.removeChild(this.script),this.script=null),this.form&&(this.form.parentNode.removeChild(this.form),this.form=null,this.iframe=null),f.prototype.doClose.call(this)},e.prototype.doPoll=function(){var a=this,b=document.createElement("script");this.script&&(this.script.parentNode.removeChild(this.script),this.script=null),b.async=!0,b.src=this.uri(),b.onerror=function(b){a.onError("jsonp poll error",b)};var c=document.getElementsByTagName("script")[0];c?c.parentNode.insertBefore(b,c):(document.head||document.body).appendChild(b),this.script=b;var d="undefined"!=typeof navigator&&/gecko/i.test(navigator.userAgent);d&&setTimeout(function(){var a=document.createElement("iframe");document.body.appendChild(a),document.body.removeChild(a)},100)},e.prototype.doWrite=function(a,b){function c(){d(),b()}function d(){if(e.iframe)try{e.form.removeChild(e.iframe)}catch(a){e.onError("jsonp polling iframe removal error",a)}try{var b='