updates

evanharmon1 · Feb 2, 2025 · 59aa4b1 · 59aa4b1
1 parent cae5c1a
commit 59aa4b1
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 16 deletions.
diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml
@@ -11,7 +11,7 @@ jobs:
       contents: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Fetch all history for versioning
 

diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml
@@ -6,7 +6,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Triggered by a ${{ github.event_name }} event."
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       # E.g., to check for my `~/Local/.secret` file
       - name: Custom check for secret files
         run: ./check_for_pattern.sh . "*secret*"
@@ -22,8 +22,66 @@ jobs:
         run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json
       # Upload Artifacts
       - name: Upload the scan output
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: scan_results
           path: /tmp/scan_output.json
           retention-days: 7
+  sast-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      # Node.js dependencies scan
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+      - name: Install Node dependencies
+        run: npm ci
+      - name: Run Snyk for Node.js
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: >
+            --severity-threshold=high
+            --show-vulnerable-paths=all
+      # Python dependencies scan
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.9"
+      - name: Install Python dependencies
+        run: pip install -r requirements.txt
+      - name: Run Snyk for Python
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: >
+            --file=requirements.txt
+            --severity-threshold=high
+            --show-vulnerable-paths=all
+  sast-code:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          cache: "npm"
+      - name: Install dependencies
+        run: npm ci
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: code test
+          args: >
+            --severity-threshold=high
+            --json-file-output=snyk-code-test.json
diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml
@@ -1,8 +1,8 @@
-name: Validate
+name: Validate Code
 run-name: ${{ github.actor }} is running Validate Actions
 on: [pull_request]
 jobs:
-  validate:
+  preCommit:
     runs-on: ubuntu-latest
     steps:
       - run: echo "Triggered by a ${{ github.event_name }} event."
@@ -12,3 +12,14 @@ jobs:
           python-version: 3.9
       - uses: pre-commit/[email protected]
       - uses: pre-commit-ci/[email protected]
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Use Node.js 22
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+      - run: npm ci
+      - run: npm run check
diff --git a/template/README.md.jinja b/template/README.md.jinja
@@ -5,8 +5,12 @@
 Author: {{ author_full_name }}
 
 [![Validate](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/validate.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/validate.yml)
+[![Build](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/build.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/build.yml)
 [![Security](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/security.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/security.yml)
 [![Copier](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-orange.json)](https://github.com/copier-org/copier)
+[![Maintained](https://img.shields.io/badge/maintained%3F-yes-brightgreen.svg?style=flat-square)](https://github.com/onwidget)
+[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/onwidget/astrowind#contributing)
+[![Known Vulnerabilities](https://snyk.io/test/github/onwidget/astrowind/badge.svg?style=flat-square)](https://snyk.io/test/github/onwidget/astrowind)
 
 ## Setup & Installation
 

diff --git a/template/Taskfile.yml.jinja b/template/Taskfile.yml.jinja
@@ -1,5 +1,5 @@
 # Taskfile for {{ project_name }}
-version: "3"
+version: '3'
 tasks:
   boostrap:
     cmds:
@@ -13,25 +13,50 @@ tasks:
     silent: true
   validate:
     cmds:
-      - pre-commit run --all-files
-      # - shellcheck osConfig/mac/updateMac.sh
-      # - shellcheck osConfig/mac/setupMac.sh
-      # - shellcheck osConfig/mac/configureMacSettings.sh
+      - task: preCommit
+      - task: check
     silent: true
-  pre-commit:
+  preCommit:
     cmds:
       - pre-commit run --all-files
     silent: true
+  check:
+    cmds:
+      - npm run check:astro
+      - npm run check:eslint
+      - cmd: npm run check:prettier
+        # - shellcheck osConfig/mac/updateMac.sh
+        # - shellcheck osConfig/mac/setupMac.sh
+        # - shellcheck osConfig/mac/configureMacSettings.sh
+        ignore_error: true
+    silent: true
+  fix:
+    cmds:
+      - npm run fix
+    silent: true
   security:
+    cmds:
+      - task: secrets
+      - task: sast
+    ignore_error: true
+    silent: true
+  secrets:
     cmds:
       - ./check_for_pattern.sh . "*secret*"
       - whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL .
-      - task: snyk
     silent: true
-  snyk:
+  sast:
+    cmds:
+      - task: sast-dependencies
+      - task: sast-code
+    silent: true
+  sast-dependencies:
+    cmds:
+      - snyk test --all-projects
+    silent: true
+  sast-code:
     cmds:
-      - snyk test --file=requirements.txt
-      - snyk test --file=package.json
+      - snyk code test
     silent: true
   ghReleaseInit:
     cmds:

diff --git a/template/test/whisperConfig.yml b/template/test/whisperConfig.yml
@@ -1,6 +1,6 @@
 include:
   files:
-    - "**/*"
+    - '**/*'
 
 exclude:
   files: