diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index ecd7308..a782168 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,16 +1,15 @@ // For format details, see https://aka.ms/devcontainer.json. For config options, see the // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu { - "name": "Dev Container", + "name": "DevOS", // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile // "image": "mcr.microsoft.com/devcontainers/base:dev-ubuntu", // "build": {"dockerfile": "${localWorkspaceFolder}/build/package/Dockerfile"}, "dockerComposeFile": [ "${localWorkspaceFolder}/compose-dev.yaml" ], - "service": "devcontainer", + "service": "devos", "workspaceFolder": "/workspace", // Use 'postCreateCommand' to run commands after the container is created. "postCreateCommand": "${containerWorkspaceFolder}/scripts/setup-devcontainer.sh" - // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root. } diff --git a/.github/ISSUE_TEMPLATE/security.md b/.github/ISSUE_TEMPLATE/security.md index e80fed9..9f5f01e 100644 --- a/.github/ISSUE_TEMPLATE/security.md +++ b/.github/ISSUE_TEMPLATE/security.md @@ -9,13 +9,15 @@ assignees: "" # Vulnerability Report I identified potential security vulnerabilities in [product]. -I am committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues. +I am committed to working with you to help resolve these issues. In this report you will find everything you need to +effectively coordinate a resolution of these issues. If at any point you have concerns or questions about this process, please do not hesitate to reach out to me at [email]. If you are _NOT_ the correct point of contact for this report, please let me know! ## Summary -_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ +_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization +vulnerability allows any unauthenticated user to execute arbitrary code on the server._ ## Product @@ -39,15 +41,23 @@ _Complete instructions, including specific configuration details, to reproduce t ## Remediation -_Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might have a better idea to fix the issue._ +_Propose a remediation suggestion if you have one. Make it clear that this is just a suggestion, as the maintainer might +have a better idea to fix the issue._ ## GitHub Security Advisories -If possible, please could you create a private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) for these findings? This allows you to invite me to collaborate and further discuss these findings in private before they are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory). +If possible, please could you create a +private [GitHub Security Advisory](https://help.github.com/en/github/managing-security-vulnerabilities/creating-a-security-advisory) +for these findings? This allows you to invite me to collaborate and further discuss these findings in private before +they +are [published](https://help.github.com/en/github/managing-security-vulnerabilities/publishing-a-security-advisory). I will be happy to collaborate with you, and review your fix to make sure that all corner cases are covered. -When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews the request within 72 hours, and the CVE details will be published after you make your security advisory public. Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can update to the fixed version. +When you use a GitHub Security Advisory, you can request a CVE identification number from GitHub. GitHub usually reviews +the request within 72 hours, and the CVE details will be published after you make your security advisory public. +Publishing a GitHub Security Advisory and a CVE will help notify the downstream consumers of your project, so they can +update to the fixed version. ## Credit @@ -60,11 +70,18 @@ _If you found the vulnerability with a specific tool, you can also credit this t ## Disclosure Policy -The research team is dedicated to working closely with the open source community and with projects that are affected by a vulnerability, in order to protect users and ensure a coordinated disclosure. -When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for the project if one exists; otherwise we will attempt to contact the project maintainers directly. +The research team is dedicated to working closely with the open source community and with projects that are affected by +a vulnerability, in order to protect users and ensure a coordinated disclosure. +When we identify a vulnerability in a project, we will report it by contacting the publicly-listed security contact for +the project if one exists; otherwise we will attempt to contact the project maintainers directly. -If the project team responds and agrees the issue poses a security risk, we will work with the project security team or maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing detailed information about the vulnerability. +If the project team responds and agrees the issue poses a security risk, we will work with the project security team or +maintainers to communicate the vulnerability in detail, and agree on the process for public disclosure. Responsibility +for developing and releasing a patch lies firmly with the project team, though we aim to facilitate this by providing +detailed information about the vulnerability. Our disclosure deadline for publicly disclosing a vulnerability is: 90 days after the first report to the project team. -We **appreciate the hard work** maintainers put into fixing vulnerabilities and understand that sometimes more time is required to properly address an issue. We want project maintainers to succeed and because of that we are always open to discuss our disclosure policy to fit your specific requirements, when warranted. +We **appreciate the hard work** maintainers put into fixing vulnerabilities and understand that sometimes more time is +required to properly address an issue. We want project maintainers to succeed and because of that we are always open to +discuss our disclosure policy to fit your specific requirements, when warranted. diff --git a/.github/actions/trivy/action.yml b/.github/actions/trivy/action.yml new file mode 100644 index 0000000..76eb314 --- /dev/null +++ b/.github/actions/trivy/action.yml @@ -0,0 +1,39 @@ +name: Workflow Gate +description: Gate workflow based on Trivy scan results + +inputs: + generate-sbom: + default: "false" + description: Generate SBOM and submit results to Dependency Graph + upload-scan-result: + default: "false" + description: Upload scan results to GitHub Security tab + +runs: + using: composite + steps: + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 https://github.com/aquasecurity/trivy-action/commit/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 + with: + exit-code: 1 + format: sarif + hide-progress: false + ignore-unfixed: true + output: trivy-results.sarif + scan-type: fs + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800 + if: ${{ inputs.upload-scan-result == 'true' }} + with: + sarif_file: trivy-results.sarif + + - name: Run Trivy SBOM and submit results to Dependency Graph + uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.24.0 https://github.com/aquasecurity/trivy-action/commit/6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 + if: ${{ inputs.generate-sbom == 'true' }} + with: + format: github + github-pat: ${{ github.token }} + image-ref: . + output: dependency-results.sbom.json + scan-type: fs diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 52ded59..0eed77c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,6 +2,14 @@ version: 2 updates: # Maintain dependencies for GitHub Actions - package-ecosystem: github-actions - directory: / + directories: + - /.github/actions + - /.github/workflows schedule: interval: daily + # Maintain dependencies for Devcontainers + - package-ecosystem: devcontainers + directories: + - /.devcontainer + schedule: + interval: monthly diff --git a/.github/labeler.yml b/.github/labeler.yml index faa52d7..0ec7eba 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,24 +1,61 @@ # Add 'repo' label to any root file changes repo: - - "*" + - changed-files: + - any-glob-to-any-file: "*" + +# Add 'github-actions' label to any changes in the '.github' directory +github-actions: + - changed-files: + - any-glob-to-any-file: + - .github/actions/* + - .github/actions/*/** + - .github/auto_assign.yml + - .github/auto_assign.yml/** + - .github/dependabot.yml + - .github/dependabot.yml/** + - .github/workflows/* + - .github/workflows/*/** # Add 'devcontainer' label to any changes in the '.devcontainer' directory -# Add 'devcontainer' label to any changes in the '.docker' directory +# Add 'devcontainer' label to any changes in the 'docker-compose.yml' file devcontainer: - - .devcontainer/* - - .devcontainer/*/** - - .devcontainer/devcontainer.json - - .devcontainer/devcontainer.json/** - - .docker/* - - .docker/*/** - - .docker/Dockerfile - - .docker/Dockerfile/** - - .docker/docker-compose.yml - - .docker/docker-compose.yml/** + - changed-files: + - any-glob-to-any-file: + - .devcontainer/* + - .devcontainer/*/** + - .devcontainer/devcontainer.json + - .devcontainer/devcontainer.json/** + - docker-compose.yml + - docker-compose.yml/** -# Add 'github-actions' label to any changes in the '.github' directory -github-actions: - - .github/workflows/* - - .github/workflows/*/** - - .github/dependabot.yml - - .github/dependabot.yml/** +# Add 'config' label to any changes in the 'config' directory +config: + - changed-files: + - any-glob-to-any-file: + - config/* + - config/** + +# Add 'scripting' label to any changes in the 'scripts' directory +scripting: + - changed-files: + - any-glob-to-any-file: + - scripts/* + - scripts/*/** + +# Add 'tooling' label to any changes in the 'build' directory +tooling: + - changed-files: + - any-glob-to-any-file: + - tools/* + - tools/** + +# Add 'container' label to Dockerfile +container: + - changed-files: + - any-glob-to-any-file: + - build/**/Dockerfile + - build/img/**/Dockerfile + +# Add 'release' label to any PR opened against the 'main' branch +release: + - base-branch: main diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 0bde81f..5e9985c 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -11,20 +11,22 @@ permissions: read-all jobs: bot: - uses: labsonline/cicd/.github/workflows/bot.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 + uses: ./.github/workflows/ondemand/bot.yml permissions: issues: write pull-requests: write repository-projects: write - # Uncomment if you want to use the codeql workflow - # ast: - # uses: labsonline/cicd/.github/workflows/ast.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 - # with: - # codeql-language: python - gate: - uses: labsonline/cicd/.github/workflows/gate.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 + + sonarqube: + uses: ./.github/workflows/gate/sonarqube.yml + trivy: + uses: ./.github/workflows/gate/trivy.yml + devos: + uses: ./.github/workflows/gate/devos.yml + scorecard: - uses: labsonline/cicd/.github/workflows/scorecard.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 + uses: ./.github/workflows/ondemand/scorecard.yml permissions: + contents: write id-token: write security-events: write diff --git a/.github/workflows/cleanup.yml.sample b/.github/workflows/cleanup.yml.sample deleted file mode 100644 index 44cc1d7..0000000 --- a/.github/workflows/cleanup.yml.sample +++ /dev/null @@ -1,26 +0,0 @@ -name: Cleanup - -on: - pull_request: - types: - - closed - schedule: - - cron: 30 1 * * 6 - workflow_dispatch: {} - -permissions: read-all - -# Add custom review jobs here -jobs: - cleanup: - runs-on: ubuntu-latest - steps: - - run: echo "This is a cleanup job" - - # The following is required and added automatically (do no add it manually) - # cleanup: - # uses: labsonline/cicd/.github/workflows/cleanup.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 - # permissions: - # contents: write - # issues: write - # pull-requests: write diff --git a/.github/workflows/gate/devos.yml b/.github/workflows/gate/devos.yml new file mode 100644 index 0000000..30005dd --- /dev/null +++ b/.github/workflows/gate/devos.yml @@ -0,0 +1,14 @@ +name: DevOS + +on: + - workflow_call + +permissions: read-all + +jobs: + airskiff: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - run: hack/run diff --git a/.github/workflows/gate/sonarqube.yml b/.github/workflows/gate/sonarqube.yml new file mode 100644 index 0000000..9998ff8 --- /dev/null +++ b/.github/workflows/gate/sonarqube.yml @@ -0,0 +1,28 @@ +name: SonarQube + +on: + workflow_call: + inputs: + sonarqube: + type: boolean + default: false + description: Run SonarQube Quality Gate + +permissions: read-all + +jobs: + sonarqube: + runs-on: ubuntu-latest + if: ${{ inputs.sonarqube }} + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: SonarQube Quality Gate + uses: sonarsource/sonarqube-quality-gate-action@d304d050d930b02a896b0f85935344f023928496 # v1.1.0 https://github.com/SonarSource/sonarqube-quality-gate-action/commit/d304d050d930b02a896b0f85935344f023928496 + timeout-minutes: 5 + env: + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/gate/trivy.yml b/.github/workflows/gate/trivy.yml new file mode 100644 index 0000000..37ad735 --- /dev/null +++ b/.github/workflows/gate/trivy.yml @@ -0,0 +1,21 @@ +name: Trivy + +on: + - workflow_call + +permissions: read-all + +jobs: + trivy: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: Trivy Scan + uses: ./.github/actions/trivy + # with: + # generate-sbom: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} + # upload-scan-result: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} diff --git a/.github/workflows/ondemand/bot.yml b/.github/workflows/ondemand/bot.yml new file mode 100644 index 0000000..c517a73 --- /dev/null +++ b/.github/workflows/ondemand/bot.yml @@ -0,0 +1,46 @@ +name: Bot + +on: + - workflow_call + +permissions: + issues: write + pull-requests: write + repository-projects: write + +jobs: + dependabot: + runs-on: ubuntu-latest + if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} + steps: + - name: Dependabot metadata + id: metadata + uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0 https://github.com/dependabot/fetch-metadata/commit/dbb049abf0d677abbd7f7eee0375145b417fdd34 + with: + alert-lookup: true + compat-lookup: true + + - name: Approve a PR + shell: bash + run: | + gh pr checkout "$PR_URL" + + if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ];then + gh pr review --approve "$PR_URL" + else + echo "PR already approved, skipping additional approvals to minimize emails/notification noise."; + fi + env: + GITHUB_TOKEN: ${{ github.token }} + PR_URL: ${{ github.event.pull_request.html_url }} + + - name: Enable auto-merge for Dependabot PRs + if: ${{ steps.metadata.outputs.update-type == 'version-update:semver-patch' }} + shell: bash + run: gh pr merge --auto --merge "$PR_URL" + env: + GITHUB_TOKEN: ${{ github.token }} + PR_URL: ${{ github.event.pull_request.html_url }} + + # todo: raise issue on failure for cron job + # todo: update issue on job run failure diff --git a/.github/workflows/ondemand/cleanup.yml b/.github/workflows/ondemand/cleanup.yml new file mode 100644 index 0000000..b040a8f --- /dev/null +++ b/.github/workflows/ondemand/cleanup.yml @@ -0,0 +1,68 @@ +name: Cleanup + +on: + pull_request: + types: + - closed + schedule: + - cron: 30 1 * * 6 + workflow_call: + inputs: + branch: + type: string + description: Branch to cleanup (e.g. refs/pull/1/merge) + default: ${{ github.ref }} + workflow_dispatch: {} + +permissions: read-all + +jobs: + stale: + runs-on: ubuntu-latest + if: ${{ github.event_name == 'schedule' }} + permissions: + contents: write + issues: write + pull-requests: write + steps: + - name: Cleanup stale issues and PRs + uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 https://github.com/actions/stale/commit/28ca1036281a5e5922ead5184a1bbf96e5fc984e + with: + any-of-labels: needs-more-info,needs-demo + days-before-close: 5 + days-before-pr-close: -1 + days-before-stale: 30 + exempt-all-pr-assignees: true + exempt-all-pr-milestones: true + exempt-issue-milestones: future,alpha,beta + stale-issue-label: no-issue-activity + stale-issue-message: Message to comment on stale issues. If none provided, will not mark issues stale + stale-pr-label: no-pr-activity + stale-pr-message: Message to comment on stale PRs. If none provided, will not mark PRs stale + + cache: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: Cleanup cache + shell: bash + run: ./scripts/delete-gh-actions-cache.sh + if: ${{ github.event_name == 'pull_request' && github.event.action == 'closed' }} + env: + BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} + - name: Cleanup cache + shell: bash + run: ./scripts/delete-gh-actions-cache.sh + if: ${{ github.event_name != 'pull_request' }} + env: + BRANCH: ${{ inputs.branch || github.ref }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + REPO: ${{ github.repository }} diff --git a/.github/workflows/ondemand/scorecard.yml b/.github/workflows/ondemand/scorecard.yml new file mode 100644 index 0000000..266d2b9 --- /dev/null +++ b/.github/workflows/ondemand/scorecard.yml @@ -0,0 +1,44 @@ +name: Scorecard + +on: + workflow_call: + inputs: + score-card-token: + type: string + description: GitHub token for Scorecard to use for publishing results + publish-results: + type: boolean + description: Whether to publish results to OpenSSF REST API + +permissions: + contents: write + id-token: write + security-events: write + +jobs: + analysis: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/main' }} + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 https://github.com/ossf/scorecard-action/commit/62b2cac7ed8198b15735ed49ab1e5cf35480ba46 + with: + publish_results: true + results_file: results.sarif + results_format: sarif + + - name: Upload artifact + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + path: results.sarif + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@b8efe4dc6ab6d31abe3ec159420d2a4916880800 # v3.26.6 https://github.com/github/codeql-action/commit/b8efe4dc6ab6d31abe3ec159420d2a4916880800 + with: + sarif_file: results.sarif diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index cb4147d..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,14 +0,0 @@ -name: Releases - -on: - push: - branches: - - main - -permissions: read-all - -jobs: - release: - uses: labsonline/cicd/.github/workflows/release.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 - permissions: - contents: write diff --git a/.github/workflows/review.yml b/.github/workflows/review.yml new file mode 100644 index 0000000..ce286b2 --- /dev/null +++ b/.github/workflows/review.yml @@ -0,0 +1,105 @@ +name: Code Review + +on: + pull_request: + types: + - edited + - opened + - reopened + - synchronize + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + +permissions: read-all + +jobs: + lint: + runs-on: ubuntu-latest + permissions: + checks: write + contents: read + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: Lint Code Base + uses: github/super-linter@b92721f792f381cedc002ecdbb9847a15ece5bb8 # v7.1.0 https://github.com/super-linter/super-linter/commit/b92721f792f381cedc002ecdbb9847a15ece5bb8 + env: + DEFAULT_BRANCH: main + GITHUB_TOKEN: ${{ github.token }} + VALIDATE_ALL_CODEBASE: false + VALIDATE_BASH: false + VALIDATE_DOCKERFILE_HADOLINT: false # fixme: superlinter not using .hadolint.yaml + VALIDATE_KUBERNETES_KUBECONFORM: false # fixme: enable kubeconform + VALIDATE_YAML_PRETTIER: false # fixme: ignore symlink + - name: Trunk Check + uses: trunk-io/trunk-action@86b68ffae610a05105e90b1f52ad8c549ef482c2 # v1.1.16 https://github.com/trunk-io/trunk-action/commit/86b68ffae610a05105e90b1f52ad8c549ef482c2 + with: + post-annotations: true + + scanning: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: GitGuardian Scan + uses: GitGuardian/ggshield-action@ed817b2930f8dbf32995b6d8bbf65499e6a4e3be # v1.31.0 https://github.com/GitGuardian/ggshield-action/commit/ed817b2930f8dbf32995b6d8bbf65499e6a4e3be + env: + GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} + GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} + GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} + GITHUB_PUSH_BASE_SHA: ${{ github.event.before }} + GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} + # - name: SonarQube Scan + # uses: sonarsource/sonarqube-scan-action@aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 # v3.0.0 https://github.com/SonarSource/sonarqube-scan-action/commit/aecaf43ae57e412bd97d70ef9ce6076e672fe0a9 + # env: + # SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + # SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + needs: + - lint + - scanning + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: Labeler + uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 https://github.com/actions/labeler/commit/8558fd74291d67161a8a78ce36a881fa63b766a9 + - name: Dependency Review + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 https://github.com/actions/dependency-review-action/commit/5a2ce3f5b92ee19cbb1541a4984c76d921601d7c + with: + allow-ghsas: none + allow-licenses: Apache-2.0,BSD-2-Clause,BSD-3-Clause,CC0-1.0,GPL-2.0,GPL-3.0,ISC,MIT + deny-packages: empty + fail-on-severity: low + retry-on-snapshot-warnings-timeout: 120 + retry-on-snapshot-warnings: true + + assign: + runs-on: ubuntu-latest + needs: review + permissions: + contents: read + pull-requests: write + steps: + - name: Checkout code + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 https://github.com/actions/checkout/commit/692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + persist-credentials: false + - name: Auto-assign + uses: kentaro-m/auto-assign-action@f4648c0a9fdb753479e9e75fc251f507ce17bb7e # v2.0.0 https://github.com/kentaro-m/auto-assign-action/commit/f4648c0a9fdb753479e9e75fc251f507ce17bb7e diff --git a/.github/workflows/review.yml.sample b/.github/workflows/review.yml.sample deleted file mode 100644 index 0512eb5..0000000 --- a/.github/workflows/review.yml.sample +++ /dev/null @@ -1,24 +0,0 @@ -name: Review - -on: - pull_request: - types: - - edited - - opened - - reopened - - synchronize - -permissions: read-all - -# Add custom review jobs here -jobs: - review: - runs-on: ubuntu-latest - steps: - - run: echo "This is a review job" - - # The following is required and added automatically (do no add it manually) - # review: - # uses: labsonline/cicd/.github/workflows/review.yml@6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 # v0.1.4 https://github.com/labsonline/cicd/commit/6e038f38f0819ffec0ea23e23efd8a1a0a4a4537 - # permissions: - # pull-requests: write diff --git a/SECURITY.md b/SECURITY.md index 512b510..a0d706c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,8 +2,4 @@ ## Reporting a Vulnerability -<<<<<<< HEAD -[Open an Issue](https://github.com/labsonline/devcontainer/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability. -======= [Open an Issue](https://github.com/anselmes/devos/issues/new?assignees=&labels=&template=security.md&title=) to report vulnerability. ->>>>>>> main diff --git a/compose-dev.yaml b/compose-dev.yaml index 5dbd60c..a52cc58 100644 --- a/compose-dev.yaml +++ b/compose-dev.yaml @@ -1,6 +1,6 @@ --- services: - devcontainer: + devos: image: ubuntu:22.04 # platform: linux/amd64 # entrypoint: /sbin/init