diff --git a/.github/workflows/alibabacloud.yml b/.github/workflows/alibabacloud.yml
new file mode 100644
index 0000000..94a15c4
--- /dev/null
+++ b/.github/workflows/alibabacloud.yml
@@ -0,0 +1,122 @@
+# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR),
+# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the "main" branch.
+#
+# To use this workflow, you will need to complete the following set-up steps:
+#
+# 1. Create an ACR repository to store your container images.
+# You can use ACR EE instance for more security and better performance.
+# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm
+#
+# 2. Create an ACK cluster to run your containerized application.
+# You can use ACK Pro cluster for more security and better performance.
+# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm
+#
+# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`.
+# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/
+#
+# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME.
+#
+
+name: Build and Deploy to ACK
+
+on:
+ push:
+ branches: [ "main" ]
+
+# Environment variables available to all jobs and steps in this workflow.
+env:
+ REGION_ID: cn-hangzhou
+ REGISTRY: registry.cn-hangzhou.aliyuncs.com
+ NAMESPACE: namespace
+ IMAGE: repo
+ TAG: ${{ github.sha }}
+ ACK_CLUSTER_ID: clusterID
+ ACK_DEPLOYMENT_NAME: nginx-deployment
+
+ ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com
+ ACR_EE_INSTANCE_ID: instanceID
+ ACR_EE_NAMESPACE: namespace
+ ACR_EE_IMAGE: repo
+ ACR_EE_TAG: ${{ github.sha }}
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ environment: production
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ # 1.1 Login to ACR
+ - name: Login to ACR with the AccessKey pair
+ uses: aliyun/acr-login@v1
+ with:
+ region-id: "${{ env.REGION_ID }}"
+ access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
+ access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
+
+ # 1.2 Build and push image to ACR
+ - name: Build and push image to ACR
+ run: |
+ docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
+ docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG"
+
+ # 1.3 Scan image in ACR
+ - name: Scan image in ACR
+ uses: aliyun/acr-scan@v1
+ with:
+ region-id: "${{ env.REGION_ID }}"
+ access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
+ access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
+ repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}"
+ tag: "${{ env.TAG }}"
+
+ # 2.1 (Optional) Login to ACR EE
+ - uses: actions/checkout@v4
+ - name: Login to ACR EE with the AccessKey pair
+ uses: aliyun/acr-login@v1
+ with:
+ login-server: "https://${{ env.ACR_EE_REGISTRY }}"
+ region-id: "${{ env.REGION_ID }}"
+ access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
+ access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
+ instance-id: "${{ env.ACR_EE_INSTANCE_ID }}"
+
+ # 2.2 (Optional) Build and push image ACR EE
+ - name: Build and push image to ACR EE
+ run: |
+ docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" .
+ docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG"
+ # 2.3 (Optional) Scan image in ACR EE
+ - name: Scan image in ACR EE
+ uses: aliyun/acr-scan@v1
+ with:
+ region-id: "${{ env.REGION_ID }}"
+ access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
+ access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
+ instance-id: "${{ env.ACR_EE_INSTANCE_ID }}"
+ repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}"
+ tag: "${{ env.ACR_EE_TAG }}"
+
+ # 3.1 Set ACK context
+ - name: Set K8s context
+ uses: aliyun/ack-set-context@v1
+ with:
+ access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
+ access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
+ cluster-id: "${{ env.ACK_CLUSTER_ID }}"
+
+ # 3.2 Deploy the image to the ACK cluster
+ - name: Set up Kustomize
+ run: |-
+ curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6
+ - name: Deploy
+ run: |-
+ ./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG
+ ./kustomize build . | kubectl apply -f -
+ kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME
+ kubectl get services -o wide
diff --git a/.github/workflows/apisec-scan.yml b/.github/workflows/apisec-scan.yml
new file mode 100644
index 0000000..a3a8bcb
--- /dev/null
+++ b/.github/workflows/apisec-scan.yml
@@ -0,0 +1,71 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# APIsec addresses the critical need to secure APIs before they reach production.
+# APIsec provides the industryβs only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
+# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
+
+# How to Get Started with APIsec.ai
+# 1. Schedule a demo at https://www.apisec.ai/request-a-demo .
+#
+# 2. Register your account at https://cloud.apisec.ai/#/signup .
+#
+# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly.
+#
+# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions
+#
+# apisec-run-scan
+#
+# This action triggers the on-demand scans for projects registered in APIsec.
+# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings.
+# Else you can view the scan results from the project home page in APIsec Platform.
+# The link to view the scan results is also displayed on the console on successful completion of action.
+
+# This is a starter workflow to help you get started with APIsec-Scan Actions
+
+name: APIsec
+
+# Controls when the workflow will run
+on:
+ # Triggers the workflow on push or pull request events but only for the "main" branch
+ # Customize trigger events based on your DevSecOps processes.
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '44 8 * * 0'
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+
+permissions:
+ contents: read
+
+jobs:
+
+ Trigger_APIsec_scan:
+ permissions:
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: APIsec scan
+ uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea
+ with:
+ # The APIsec username with which the scans will be executed
+ apisec-username: ${{ secrets.apisec_username }}
+ # The Password of the APIsec user with which the scans will be executed
+ apisec-password: ${{ secrets.apisec_password}}
+ # The name of the project for security scan
+ apisec-project: "VAmPI"
+ # The name of the sarif format result file The file is written only if this property is provided.
+ sarif-result-file: "apisec-results.sarif"
+ - name: Import results
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: ./apisec-results.sarif
diff --git a/.github/workflows/appknox.yml b/.github/workflows/appknox.yml
new file mode 100644
index 0000000..2481c4d
--- /dev/null
+++ b/.github/workflows/appknox.yml
@@ -0,0 +1,54 @@
+# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support documentation.
+#
+# Appknox: Leader in Mobile Application Security Testing Solutions <https://www.appknox.com/>
+#
+# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your
+# repository.
+#
+# If you *are not* an existing customer, click here to contact us for licensing and pricing details:
+# <https://www.appknox.com/free-trial>.
+#
+# Instructions:
+#
+# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the
+# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token
+# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings
+# and create a token labeled GitHub
+#
+# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the
+# action executes, check the 'Security' tab for results
+
+name: Appknox
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+jobs:
+ appknox:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout Code
+ uses: actions/checkout@v2
+
+ - name: Grant execute permission for gradlew
+ run: chmod +x gradlew
+
+ - name: Build the app
+ run: ./gradlew build # Update this to build your Android or iOS application
+
+ - name: Appknox GitHub action
+ uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4
+ with:
+ appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }}
+ file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here
+ risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL]
+ sarif: Enable
+
+ - name: Upload SARIF to GHAS
+ if: always()
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: report.sarif
diff --git a/.github/workflows/astro.yml b/.github/workflows/astro.yml
new file mode 100644
index 0000000..54d4be4
--- /dev/null
+++ b/.github/workflows/astro.yml
@@ -0,0 +1,90 @@
+# Sample workflow for building and deploying an Astro site to GitHub Pages
+#
+# To get started with Astro see: https://docs.astro.build/en/getting-started/
+#
+name: Deploy Astro site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+env:
+ BUILD_PATH: "." # default value when not using subfolders
+ # BUILD_PATH: subfolder
+
+jobs:
+ build:
+ name: Build
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
+ echo "runner=yarn" >> $GITHUB_OUTPUT
+ echo "lockfile=yarn.lock" >> $GITHUB_OUTPUT
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
+ echo "runner=npx --no-install" >> $GITHUB_OUTPUT
+ echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT
+ exit 0
+ else
+ echo "Unable to determine package manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v4
+ with:
+ node-version: "20"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }}
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v5
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ working-directory: ${{ env.BUILD_PATH }}
+ - name: Build with Astro
+ run: |
+ ${{ steps.detect-package-manager.outputs.runner }} astro build \
+ --site "${{ steps.pages.outputs.origin }}" \
+ --base "${{ steps.pages.outputs.base_path }}"
+ working-directory: ${{ env.BUILD_PATH }}
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ${{ env.BUILD_PATH }}/dist
+
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ needs: build
+ runs-on: ubuntu-latest
+ name: Deploy
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/aws.yml b/.github/workflows/aws.yml
new file mode 100644
index 0000000..a8219c4
--- /dev/null
+++ b/.github/workflows/aws.yml
@@ -0,0 +1,94 @@
+# This workflow will build and push a new container image to Amazon ECR,
+# and then will deploy a new task definition to Amazon ECS, when there is a push to the "main" branch.
+#
+# To use this workflow, you will need to complete the following set-up steps:
+#
+# 1. Create an ECR repository to store your images.
+# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`.
+# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name.
+# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region.
+#
+# 2. Create an ECS task definition, an ECS cluster, and an ECS service.
+# For example, follow the Getting Started guide on the ECS console:
+# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun
+# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service.
+# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster.
+#
+# 3. Store your ECS task definition as a JSON file in your repository.
+# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`.
+# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file.
+# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container
+# in the `containerDefinitions` section of the task definition.
+#
+# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`.
+# See the documentation for each action used below for the recommended IAM policies for this IAM user,
+# and best practices on handling the access key credentials.
+
+name: Deploy to Amazon ECS
+
+on:
+ push:
+ branches: [ "main" ]
+
+env:
+ AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1
+ ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name
+ ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name
+ ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name
+ ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition
+ # file, e.g. .aws/task-definition.json
+ CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the
+ # containerDefinitions section of your task definition
+
+permissions:
+ contents: read
+
+jobs:
+ deploy:
+ name: Deploy
+ runs-on: ubuntu-latest
+ environment: production
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ - name: Configure AWS credentials
+ uses: aws-actions/configure-aws-credentials@v1
+ with:
+ aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+ aws-region: ${{ env.AWS_REGION }}
+
+ - name: Login to Amazon ECR
+ id: login-ecr
+ uses: aws-actions/amazon-ecr-login@v1
+
+ - name: Build, tag, and push image to Amazon ECR
+ id: build-image
+ env:
+ ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+ IMAGE_TAG: ${{ github.sha }}
+ run: |
+ # Build a docker container and
+ # push it to ECR so that it can
+ # be deployed to ECS.
+ docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
+ docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+ echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+ - name: Fill in the new image ID in the Amazon ECS task definition
+ id: task-def
+ uses: aws-actions/amazon-ecs-render-task-definition@v1
+ with:
+ task-definition: ${{ env.ECS_TASK_DEFINITION }}
+ container-name: ${{ env.CONTAINER_NAME }}
+ image: ${{ steps.build-image.outputs.image }}
+
+ - name: Deploy Amazon ECS task definition
+ uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+ with:
+ task-definition: ${{ steps.task-def.outputs.task-definition }}
+ service: ${{ env.ECS_SERVICE }}
+ cluster: ${{ env.ECS_CLUSTER }}
+ wait-for-service-stability: true
diff --git a/.github/workflows/azure-container-webapp.yml b/.github/workflows/azure-container-webapp.yml
new file mode 100644
index 0000000..8259ede
--- /dev/null
+++ b/.github/workflows/azure-container-webapp.yml
@@ -0,0 +1,86 @@
+# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions.
+#
+# 4. Create three app settings on your Azure Web app:
+# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io"
+# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository
+# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step
+#
+# 5. Change the value for the AZURE_WEBAPP_NAME.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy a container to an Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+
+on:
+ push:
+ branches: [ "main" ]
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ - name: Log in to GitHub container registry
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ github.token }}
+
+ - name: Lowercase the repo name and username
+ run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+ - name: Build and push container image to registry
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+ with:
+ push: true
+ tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
+ file: ./Dockerfile
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Lowercase the repo name and username
+ run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+ - name: Deploy to Azure Web App
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}'
diff --git a/.github/workflows/azure-functions-app-container.yml b/.github/workflows/azure-functions-app-container.yml
new file mode 100644
index 0000000..aa4a1bd
--- /dev/null
+++ b/.github/workflows/azure-functions-app-container.yml
@@ -0,0 +1,79 @@
+# This workflow will build a container and deploy it to an Azure Functions App on Linux when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure Functions app.
+# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-function-linux-custom-image?tabs=in-process%2Cbash%2Cazure-cli&pivots=programming-language-csharp
+#
+# To configure this workflow:
+# 1. Set up the following secrets in your repository:
+# - AZURE_RBAC_CREDENTIALS
+# - REGISTRY_USERNAME
+# - REGISTRY_PASSWORD
+# 2. Change env variables for your configuration.
+#
+# For more information on:
+# - GitHub Actions for Azure: https://github.com/Azure/Actions
+# - Azure Functions Container Action: https://github.com/Azure/functions-container-action
+# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential
+#
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp
+
+name: Deploy container to Azure Functions App
+
+on:
+ push:
+ branches: ["main"]
+
+permissions:
+ contents: read
+
+env:
+ AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
+ LOGIN_SERVER: 'login-server' # set this to login server for your private container registry (e.g. 'contoso.azurecr.io', 'index.docker.io' )
+ REGISTRY: 'your-registry' # set this to proper value for REGISTRY
+ NAMESPACE: 'your-namespace' # set this to proper value for NAMESPACE
+ IMAGE: 'your-image' # set this to proper value for IMAGE
+ TAG: 'your-tag' # set this to proper value for TAG
+
+jobs:
+ build-and-deploy:
+ runs-on: ubuntu-latest
+ environment: dev
+ steps:
+ - name: 'Checkout GitHub Action'
+ uses: actions/checkout@v4
+
+ - name: 'Login via Azure CLI'
+ uses: azure/login@v1
+ with:
+ creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }}
+
+ - name: 'Docker Login'
+ uses: azure/docker-login@v1
+ with:
+ login-server: ${{ env.LOGIN_SERVER }}
+ username: ${{ secrets.REGISTRY_USERNAME }}
+ password: ${{ secrets.REGISTRY_PASSWORD }}
+
+ - name: 'Compose Customized Docker Image'
+ shell: bash
+ run: |
+ # If your function app project is not located in your repository's root
+ # Please change the path to your directory for docker build
+ docker build . -t ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }}
+ docker push ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }}
+
+ - name: 'Run Azure Functions Container Action'
+ uses: Azure/functions-container-action@v1
+ id: fa
+ with:
+ app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
+ image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }}
+
+ # If you want to display or use the functionapp url, then uncomment the task below
+ #- name: 'Published functionapp url'
+ # run: |
+ # echo "${{ steps.fa.outputs.app-url }}"
+
+ - name: Azure logout
+ run: |
+ az logout
diff --git a/.github/workflows/azure-functions-app-dotnet.yml b/.github/workflows/azure-functions-app-dotnet.yml
new file mode 100644
index 0000000..0f87700
--- /dev/null
+++ b/.github/workflows/azure-functions-app-dotnet.yml
@@ -0,0 +1,62 @@
+# This workflow will build a .NET Core project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure Functions app.
+# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-csharp?tabs=in-process
+#
+# To configure this workflow:
+# 1. Set up the following secrets in your repository:
+# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE
+# 2. Change env variables for your configuration.
+#
+# For more information on:
+# - GitHub Actions for Azure: https://github.com/Azure/Actions
+# - Azure Functions Action: https://github.com/Azure/functions-action
+# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended
+# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential
+#
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp
+
+name: Deploy DotNet project to Azure Function App
+
+on:
+ push:
+ branches: ["main"]
+
+env:
+ AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
+ AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
+ DOTNET_VERSION: '6.0.x' # set this to the dotnet version to use (e.g. '2.1.x', '3.1.x', '5.0.x')
+
+jobs:
+ build-and-deploy:
+ runs-on: windows-latest # For Linux, use ubuntu-latest
+ environment: dev
+ steps:
+ - name: 'Checkout GitHub Action'
+ uses: actions/checkout@v4
+
+ # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below
+ # - name: 'Login via Azure CLI'
+ # uses: azure/login@v1
+ # with:
+ # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
+
+ - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment
+ uses: actions/setup-dotnet@v4
+ with:
+ dotnet-version: ${{ env.DOTNET_VERSION }}
+
+ - name: 'Resolve Project Dependencies Using Dotnet'
+ shell: pwsh # For Linux, use bash
+ run: |
+ pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}'
+ dotnet build --configuration Release --output ./output
+ popd
+
+ - name: 'Run Azure Functions Action'
+ uses: Azure/functions-action@v1
+ id: fa
+ with:
+ app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
+ package: '${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output'
+ publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC
diff --git a/.github/workflows/azure-functions-app-nodejs.yml b/.github/workflows/azure-functions-app-nodejs.yml
new file mode 100644
index 0000000..cb158eb
--- /dev/null
+++ b/.github/workflows/azure-functions-app-nodejs.yml
@@ -0,0 +1,66 @@
+# This workflow will build a Node.js project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure Functions app.
+# For instructions see:
+# - https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-node
+# - https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-typescript
+#
+# To configure this workflow:
+# 1. Set up the following secrets in your repository:
+# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE
+# 2. Change env variables for your configuration.
+#
+# For more information on:
+# - GitHub Actions for Azure: https://github.com/Azure/Actions
+# - Azure Functions Action: https://github.com/Azure/functions-action
+# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended
+# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential
+#
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp
+
+name: Deploy Node.js project to Azure Function App
+
+on:
+ push:
+ branches: ["main"]
+
+env:
+ AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
+ AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
+ NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x')
+
+jobs:
+ build-and-deploy:
+ runs-on: windows-latest # For Linux, use ubuntu-latest
+ environment: dev
+ steps:
+ - name: 'Checkout GitHub Action'
+ uses: actions/checkout@v4
+
+ # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below
+ # - name: 'Login via Azure CLI'
+ # uses: azure/login@v1
+ # with:
+ # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
+
+ - name: Setup Node ${{ env.NODE_VERSION }} Environment
+ uses: actions/setup-node@v4
+ with:
+ node-version: ${{ env.NODE_VERSION }}
+
+ - name: 'Resolve Project Dependencies Using Npm'
+ shell: pwsh # For Linux, use bash
+ run: |
+ pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}'
+ npm install
+ npm run build --if-present
+ npm run test --if-present
+ popd
+
+ - name: 'Run Azure Functions Action'
+ uses: Azure/functions-action@v1
+ id: fa
+ with:
+ app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
+ package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+ publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC
diff --git a/.github/workflows/azure-functions-app-powershell.yml b/.github/workflows/azure-functions-app-powershell.yml
new file mode 100644
index 0000000..848994e
--- /dev/null
+++ b/.github/workflows/azure-functions-app-powershell.yml
@@ -0,0 +1,49 @@
+# This workflow will deploy a PowerShell project to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure Functions app.
+# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-powershell
+#
+# To configure this workflow:
+# 1. Set up the following secrets in your repository:
+# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE
+# 2. Change env variables for your configuration.
+#
+# For more information on:
+# - GitHub Actions for Azure: https://github.com/Azure/Actions
+# - Azure Functions Action: https://github.com/Azure/functions-action
+# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended
+# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential
+#
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp
+
+name: Deploy PowerShell project to Azure Function App
+
+on:
+ push:
+ branches: ["main"]
+
+env:
+ AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
+ AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
+
+jobs:
+ build-and-deploy:
+ runs-on: windows-latest # For Linux, use ubuntu-latest
+ environment: dev
+ steps:
+ - name: 'Checkout GitHub Action'
+ uses: actions/checkout@v4
+
+ # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below
+ # - name: 'Login via Azure CLI'
+ # uses: azure/login@v1
+ # with:
+ # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
+
+ - name: 'Run Azure Functions Action'
+ uses: Azure/functions-action@v1
+ id: fa
+ with:
+ app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
+ package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+ publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC
diff --git a/.github/workflows/azure-functions-app-python.yml b/.github/workflows/azure-functions-app-python.yml
new file mode 100644
index 0000000..28ae31f
--- /dev/null
+++ b/.github/workflows/azure-functions-app-python.yml
@@ -0,0 +1,65 @@
+# This workflow will build a Python app and deploy it to an Azure Functions App on Linux when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure Functions app.
+# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-python?pivots=python-mode-configuration
+#
+# To configure this workflow:
+# 1. Set up the following secrets in your repository:
+# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE
+# 2. Change env variables for your configuration.
+#
+# For more information on:
+# - GitHub Actions for Azure: https://github.com/Azure/Actions
+# - Azure Functions Action: https://github.com/Azure/functions-action
+# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended
+# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential
+#
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp
+
+name: Deploy Python project to Azure Function App
+
+on:
+ push:
+ branches: ["main"]
+
+env:
+ AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure
+ AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root
+ PYTHON_VERSION: '3.9' # set this to the python version to use (e.g. '3.6', '3.7', '3.8')
+
+jobs:
+ build-and-deploy:
+ runs-on: ubuntu-latest
+ environment: dev
+ steps:
+ - name: 'Checkout GitHub Action'
+ uses: actions/checkout@v4
+
+ # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below
+ # - name: 'Login via Azure CLI'
+ # uses: azure/login@v1
+ # with:
+ # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository
+
+ - name: Setup Python ${{ env.PYTHON_VERSION }} Environment
+ uses: actions/setup-python@v4
+ with:
+ python-version: ${{ env.PYTHON_VERSION }}
+
+ - name: 'Resolve Project Dependencies Using Pip'
+ shell: bash
+ run: |
+ pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}'
+ python -m pip install --upgrade pip
+ pip install -r requirements.txt --target=".python_packages/lib/site-packages"
+ popd
+
+ - name: 'Run Azure Functions Action'
+ uses: Azure/functions-action@v1
+ id: fa
+ with:
+ app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }}
+ package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
+ publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC
+ scm-do-build-during-deployment: true
+ enable-oryx-build: true
diff --git a/.github/workflows/azure-kubernetes-service-kompose.yml b/.github/workflows/azure-kubernetes-service-kompose.yml
new file mode 100644
index 0000000..33bcead
--- /dev/null
+++ b/.github/workflows/azure-kubernetes-service-kompose.yml
@@ -0,0 +1,121 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose.
+# Set your dockerComposeFile and kompose-version to suit your configuration.
+# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kompose
+
+on:
+ push:
+ branches: ["main"]
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path"
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v4
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v4
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Use kubelogin to configure your kubeconfig for Azure auth
+ - name: Set up kubelogin for non-interactive login
+ uses: azure/use-kubelogin@v1
+ with:
+ kubelogin-version: 'v0.0.25'
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+ admin: 'false'
+ use-kubelogin: 'true'
+
+ # Runs Kompose to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2
+ with:
+ renderEngine: "kompose"
+ dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }}
+ kompose-version: "latest"
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/.github/workflows/azure-kubernetes-service-kustomize.yml b/.github/workflows/azure-kubernetes-service-kustomize.yml
new file mode 100644
index 0000000..ac213c2
--- /dev/null
+++ b/.github/workflows/azure-kubernetes-service-kustomize.yml
@@ -0,0 +1,121 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these
+# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+#
+# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize.
+# Set your kustomizationPath and kubectl-version to suit your configuration.
+# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS with Kustomize
+
+on:
+ push:
+ branches: ["main"]
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ KUSTOMIZE_PATH: "your-kustomize-path"
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v4
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v4
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Use kubelogin to configure your kubeconfig for Azure auth
+ - name: Set up kubelogin for non-interactive login
+ uses: azure/use-kubelogin@v1
+ with:
+ kubelogin-version: 'v0.0.25'
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+ admin: 'false'
+ use-kubelogin: 'true'
+
+ # Runs Kustomize to create manifest files
+ - name: Bake deployment
+ uses: azure/k8s-bake@v2
+ with:
+ renderEngine: "kustomize"
+ kustomizationPath: ${{ env.KUSTOMIZE_PATH }}
+ kubectl-version: latest
+ id: bake
+
+ # Deploys application based on manifest files from previous step
+ - name: Deploy application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ steps.bake.outputs.manifestsBundle }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/.github/workflows/azure-kubernetes-service.yml b/.github/workflows/azure-kubernetes-service.yml
new file mode 100644
index 0000000..1ff5b6b
--- /dev/null
+++ b/.github/workflows/azure-kubernetes-service.yml
@@ -0,0 +1,108 @@
+# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code
+#
+# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR)
+# The ACR should be attached to the AKS cluster
+# For instructions see:
+# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal
+# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal
+# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters
+# - https://github.com/Azure/aks-create-action
+#
+# To configure this workflow:
+#
+# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux):
+# - AZURE_CLIENT_ID
+# - AZURE_TENANT_ID
+# - AZURE_SUBSCRIPTION_ID
+#
+# 2. Set the following environment variables (or replace the values below):
+# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR)
+# - RESOURCE_GROUP (where your cluster is deployed)
+# - CLUSTER_NAME (name of your AKS cluster)
+# - CONTAINER_NAME (name of the container image you would like to push up to your ACR)
+# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image)
+# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment)
+#
+# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions
+# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples
+# For more options with the actions used below please refer to https://github.com/Azure/login
+
+name: Build and deploy an app to AKS
+
+on:
+ push:
+ branches: ["main"]
+ workflow_dispatch:
+
+env:
+ AZURE_CONTAINER_REGISTRY: "your-azure-container-registry"
+ CONTAINER_NAME: "your-container-name"
+ RESOURCE_GROUP: "your-resource-group"
+ CLUSTER_NAME: "your-cluster-name"
+ DEPLOYMENT_MANIFEST_PATH: "your-deployment-manifest-path"
+
+jobs:
+ buildImage:
+ permissions:
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v4
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Builds and pushes an image up to your Azure Container Registry
+ - name: Build and push image to ACR
+ run: |
+ az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} .
+
+ deploy:
+ permissions:
+ actions: read
+ contents: read
+ id-token: write
+ runs-on: ubuntu-latest
+ needs: [buildImage]
+ steps:
+ # Checks out the repository this file is in
+ - uses: actions/checkout@v4
+
+ # Logs in with your Azure credentials
+ - name: Azure login
+ uses: azure/login@v1.4.6
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+ # Use kubelogin to configure your kubeconfig for Azure auth
+ - name: Set up kubelogin for non-interactive login
+ uses: azure/use-kubelogin@v1
+ with:
+ kubelogin-version: 'v0.0.25'
+
+ # Retrieves your Azure Kubernetes Service cluster's kubeconfig file
+ - name: Get K8s context
+ uses: azure/aks-set-context@v3
+ with:
+ resource-group: ${{ env.RESOURCE_GROUP }}
+ cluster-name: ${{ env.CLUSTER_NAME }}
+ admin: 'false'
+ use-kubelogin: 'true'
+
+ # Deploys application based on given manifest file
+ - name: Deploys application
+ uses: Azure/k8s-deploy@v4
+ with:
+ action: deploy
+ manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }}
+ images: |
+ ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }}
diff --git a/.github/workflows/azure-staticwebapp.yml b/.github/workflows/azure-staticwebapp.yml
new file mode 100644
index 0000000..185018e
--- /dev/null
+++ b/.github/workflows/azure-staticwebapp.yml
@@ -0,0 +1,70 @@
+# This workflow will build and push a web application to an Azure Static Web App when you change your code.
+#
+# This workflow assumes you have already created the target Azure Static Web App.
+# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript
+#
+# To configure this workflow:
+#
+# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token.
+# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management
+#
+# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below).
+# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks
+name: Deploy web app to Azure Static Web Apps
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ types: [opened, synchronize, reopened, closed]
+ branches: [ "main" ]
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+ APP_LOCATION: "/" # location of your client code
+ API_LOCATION: "api" # location of your api source code - optional
+ APP_ARTIFACT_LOCATION: "build" # location of client code build output
+ AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app
+
+permissions:
+ contents: read
+
+jobs:
+ build_and_deploy_job:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs
+ if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
+ runs-on: ubuntu-latest
+ name: Build and Deploy Job
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ submodules: true
+ - name: Build And Deploy
+ id: builddeploy
+ uses: Azure/static-web-apps-deploy@v1
+ with:
+ azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app
+ repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments)
+ action: "upload"
+ ###### Repository/Build Configurations - These values can be configured to match you app requirements. ######
+ # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig
+ app_location: ${{ env.APP_LOCATION }}
+ api_location: ${{ env.API_LOCATION }}
+ app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }}
+ ###### End of Repository/Build Configurations ######
+
+ close_pull_request_job:
+ permissions:
+ contents: none
+ if: github.event_name == 'pull_request' && github.event.action == 'closed'
+ runs-on: ubuntu-latest
+ name: Close Pull Request Job
+ steps:
+ - name: Close Pull Request
+ id: closepullrequest
+ uses: Azure/static-web-apps-deploy@v1
+ with:
+ azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app
+ action: "close"
diff --git a/.github/workflows/azure-webapps-java-jar.yml b/.github/workflows/azure-webapps-java-jar.yml
new file mode 100644
index 0000000..4f48af1
--- /dev/null
+++ b/.github/workflows/azure-webapps-java-jar.yml
@@ -0,0 +1,79 @@
+# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy JAR app to Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+ JAVA_VERSION: '11' # set this to the Java version to use
+ DISTRIBUTION: zulu # set this to the Java distribution
+
+on:
+ push:
+ branches: [ "main" ]
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Java version
+ uses: actions/setup-java@v4
+ with:
+ java-version: ${{ env.JAVA_VERSION }}
+ distribution: ${{ env.DISTRIBUTION }}
+ cache: 'maven'
+
+ - name: Build with Maven
+ run: mvn clean install
+
+ - name: Upload artifact for deployment job
+ uses: actions/upload-artifact@v3
+ with:
+ name: java-app
+ path: '${{ github.workspace }}/target/*.jar'
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: java-app
+
+ - name: Deploy to Azure Web App
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ package: '*.jar'
diff --git a/.github/workflows/azure-webapps-node.yml b/.github/workflows/azure-webapps-node.yml
new file mode 100644
index 0000000..ac864be
--- /dev/null
+++ b/.github/workflows/azure-webapps-node.yml
@@ -0,0 +1,78 @@
+# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+on:
+ push:
+ branches: [ "main" ]
+ workflow_dispatch:
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to your application's name
+ AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
+ NODE_VERSION: '20.x' # set this to the node version to use
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Node.js
+ uses: actions/setup-node@v4
+ with:
+ node-version: ${{ env.NODE_VERSION }}
+ cache: 'npm'
+
+ - name: npm install, build, and test
+ run: |
+ npm install
+ npm run build --if-present
+ npm run test --if-present
+
+ - name: Upload artifact for deployment job
+ uses: actions/upload-artifact@v3
+ with:
+ name: node-app
+ path: .
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: node-app
+
+ - name: 'Deploy to Azure WebApp'
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
+ package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }}
diff --git a/.github/workflows/azure-webapps-python.yml b/.github/workflows/azure-webapps-python.yml
new file mode 100644
index 0000000..e5c1864
--- /dev/null
+++ b/.github/workflows/azure-webapps-python.yml
@@ -0,0 +1,86 @@
+# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch.
+#
+# This workflow assumes you have already created the target Azure App Service web app.
+# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask
+#
+# To configure this workflow:
+#
+# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal.
+# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials
+#
+# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret.
+# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret
+#
+# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below.
+#
+# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions
+# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
+# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples
+
+name: Build and deploy Python app to Azure Web App
+
+env:
+ AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App
+ PYTHON_VERSION: '3.8' # set this to the Python version to use
+
+on:
+ push:
+ branches: [ "main" ]
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Set up Python version
+ uses: actions/setup-python@v3.0.0
+ with:
+ python-version: ${{ env.PYTHON_VERSION }}
+ cache: 'pip'
+
+ - name: Create and start virtual environment
+ run: |
+ python -m venv venv
+ source venv/bin/activate
+
+ - name: Install dependencies
+ run: pip install -r requirements.txt
+
+ # Optional: Add step to run tests here (PyTest, Django test suites, etc.)
+
+ - name: Upload artifact for deployment jobs
+ uses: actions/upload-artifact@v3
+ with:
+ name: python-app
+ path: |
+ .
+ !venv/
+
+ deploy:
+ permissions:
+ contents: none
+ runs-on: ubuntu-latest
+ needs: build
+ environment:
+ name: 'Development'
+ url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
+
+ steps:
+ - name: Download artifact from build job
+ uses: actions/download-artifact@v3
+ with:
+ name: python-app
+ path: .
+
+ - name: 'Deploy to Azure Web App'
+ id: deploy-to-webapp
+ uses: azure/webapps-deploy@v2
+ with:
+ app-name: ${{ env.AZURE_WEBAPP_NAME }}
+ publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml
new file mode 100644
index 0000000..1d0dabc
--- /dev/null
+++ b/.github/workflows/bandit.yml
@@ -0,0 +1,52 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Bandit is a security linter designed to find common security issues in Python code.
+# This action will run Bandit on your codebase.
+# The results of the scan will be found under the Security tab of your repository.
+
+# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname
+# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA
+
+name: Bandit
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '24 20 * * 3'
+
+jobs:
+ bandit:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Bandit Scan
+ uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c
+ with: # optional arguments
+ # exit with 0, even with results found
+ exit_zero: true # optional, default is DEFAULT
+ # Github token of the repository (automatically created by Github)
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information.
+ # File or directory to run bandit on
+ # path: # optional, default is .
+ # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+ # level: # optional, default is UNDEFINED
+ # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything)
+ # confidence: # optional, default is UNDEFINED
+ # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg)
+ # excluded_paths: # optional, default is DEFAULT
+ # comma-separated list of test IDs to skip
+ # skips: # optional, default is DEFAULT
+ # path to a .bandit file that supplies command line arguments
+ # ini_path: # optional, default is DEFAULT
+
diff --git a/.github/workflows/checkmarx-one.yml b/.github/workflows/checkmarx-one.yml
new file mode 100644
index 0000000..16b78a3
--- /dev/null
+++ b/.github/workflows/checkmarx-one.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow.
+# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository
+# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling
+# scan customization using the full functionality and flexibility of the CLI tool.
+
+# This is a basic workflow to help you get started with Using Checkmarx One Action,
+# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
+
+name: Checkmarx Scan
+
+# Controls when the workflow will run
+on:
+ pull_request:
+ types: [opened, reopened, synchronize]
+ branches: [ "main" ]
+
+permissions:
+ contents: read
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+ # This workflow contains a single job called "build"
+ build:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif
+
+ # The type of runner that the job will run on
+ runs-on: ubuntu-latest
+
+ # Steps represent a sequence of tasks that will be executed as part of the job
+ steps:
+ # This step checks out a copy of your repository.
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ # This step creates the Checkmarx One scan
+ - name: Checkmarx One scan
+ uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
+ with:
+ base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One
+ cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
+ cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
+ cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
+ additional_params: --report-format sarif --output-path .
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: cx_result.sarif
diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml
new file mode 100644
index 0000000..eaa0c6a
--- /dev/null
+++ b/.github/workflows/checkmarx.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action
+
+name: CxFlow
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '18 7 * * 0'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action
+permissions:
+ contents: read
+
+jobs:
+ # This workflow contains a single job called "build"
+ build:
+ # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
+ pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+
+ # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)
+ steps:
+ # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+ - uses: actions/checkout@v4
+ # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs
+ - name: Checkmarx CxFlow Action
+ uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe
+ with:
+ project: ${{ secrets.CHECKMARX_PROJECT }}
+ team: ${{ secrets.CHECKMARX_TEAMS }}
+ checkmarx_url: ${{ secrets.CHECKMARX_URL }}
+ checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }}
+ checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }}
+ checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }}
+ scanners: sast
+ params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }}
+ # Upload the Report for CodeQL/Security Alerts
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: cx.sarif
diff --git a/.github/workflows/clojure.yml b/.github/workflows/clojure.yml
new file mode 100644
index 0000000..5894814
--- /dev/null
+++ b/.github/workflows/clojure.yml
@@ -0,0 +1,19 @@
+name: Clojure CI
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Install dependencies
+ run: lein deps
+ - name: Run tests
+ run: lein test
diff --git a/.github/workflows/cmake-single-platform.yml b/.github/workflows/cmake-single-platform.yml
new file mode 100644
index 0000000..0ac33d9
--- /dev/null
+++ b/.github/workflows/cmake-single-platform.yml
@@ -0,0 +1,39 @@
+# This starter workflow is for a CMake project running on a single platform. There is a different starter workflow if you need cross-platform coverage.
+# See: https://github.com/actions/starter-workflows/blob/main/ci/cmake-multi-platform.yml
+name: CMake on a single platform
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
+ BUILD_TYPE: Release
+
+jobs:
+ build:
+ # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac.
+ # You can convert this to a matrix build if you need cross-platform coverage.
+ # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Configure CMake
+ # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make.
+ # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type
+ run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}}
+
+ - name: Build
+ # Build your program with the given configuration
+ run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}}
+
+ - name: Test
+ working-directory: ${{github.workspace}}/build
+ # Execute tests defined by the CMake configuration.
+ # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
+ run: ctest -C ${{env.BUILD_TYPE}}
+
diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml
new file mode 100644
index 0000000..69dd906
--- /dev/null
+++ b/.github/workflows/codacy.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, performs a Codacy security scan
+# and integrates the results with the
+# GitHub Advanced Security code scanning feature. For more information on
+# the Codacy security scan action usage and parameters, see
+# https://github.com/codacy/codacy-analysis-cli-action.
+# For more information on Codacy Analysis CLI in general, see
+# https://github.com/codacy/codacy-analysis-cli.
+
+name: Codacy Security Scan
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '37 4 * * 5'
+
+permissions:
+ contents: read
+
+jobs:
+ codacy-security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ name: Codacy Security Scan
+ runs-on: ubuntu-latest
+ steps:
+ # Checkout the repository to the GitHub Actions runner
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
+ - name: Run Codacy Analysis CLI
+ uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b
+ with:
+ # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository
+ # You can also omit the token and run the tools that support default configurations
+ project-token: ${{ secrets.CODACY_PROJECT_TOKEN }}
+ verbose: true
+ output: results.sarif
+ format: sarif
+ # Adjust severity of non-security issues
+ gh-code-scanning-compat: true
+ # Force 0 exit code to allow SARIF file generation
+ # This will handover control about PR rejection to the GitHub side
+ max-allowed-issues: 2147483647
+
+ # Upload the SARIF file generated in the previous step
+ - name: Upload SARIF results file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: results.sarif
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..04406a3
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,92 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL Advanced"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '18 1 * * 5'
+
+jobs:
+ analyze:
+ name: Analyze (${{ matrix.language }})
+ # Runner size impacts CodeQL analysis time. To learn more, please see:
+ # - https://gh.io/recommended-hardware-resources-for-running-codeql
+ # - https://gh.io/supported-runners-and-hardware-resources
+ # - https://gh.io/using-larger-runners (GitHub.com only)
+ # Consider using larger runners or machines with greater resources for possible analysis time improvements.
+ runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+ permissions:
+ # required for all workflows
+ security-events: write
+
+ # required to fetch internal or private CodeQL packs
+ packages: read
+
+ # only required for workflows in private repositories
+ actions: read
+ contents: read
+
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - language: python
+ build-mode: none
+ # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift'
+ # Use `c-cpp` to analyze code written in C, C++ or both
+ # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+ # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+ # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+ # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+ # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+ # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v3
+ with:
+ languages: ${{ matrix.language }}
+ build-mode: ${{ matrix.build-mode }}
+ # If you wish to specify custom queries, you can do so here or in a config file.
+ # By default, queries listed here will override any specified in a config file.
+ # Prefix the list here with "+" to use these queries and those in the config file.
+
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # queries: security-extended,security-and-quality
+
+ # If the analyze step fails for one of the languages you are analyzing with
+ # "We were unable to automatically build your code", modify the matrix above
+ # to set the build mode to "manual" for that language. Then modify this step
+ # to build your code.
+ # βΉοΈ Command-line programs to run using the OS shell.
+ # π See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+ - if: matrix.build-mode == 'manual'
+ shell: bash
+ run: |
+ echo 'If you are using a "manual" build mode for one or more of the' \
+ 'languages you are analyzing, replace this with the commands to build' \
+ 'your code, for example:'
+ echo ' make bootstrap'
+ echo ' make release'
+ exit 1
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3
+ with:
+ category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml
new file mode 100644
index 0000000..401e649
--- /dev/null
+++ b/.github/workflows/codescan.yml
@@ -0,0 +1,49 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow requires that you have an existing account with codescan.io
+# For more information about configuring your workflow,
+# read our documentation at https://github.com/codescan-io/codescan-scanner-action
+name: CodeScan
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '25 22 * * 0'
+
+permissions:
+ contents: read
+
+jobs:
+ CodeScan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ - name: Cache files
+ uses: actions/cache@v3
+ with:
+ path: |
+ ~/.sonar
+ key: ${{ runner.os }}-sonar
+ restore-keys: ${{ runner.os }}-sonar
+ - name: Run Analysis
+ uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12
+ with:
+ login: ${{ secrets.CODESCAN_AUTH_TOKEN }}
+ organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }}
+ projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }}
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: codescan.sarif
diff --git a/.github/workflows/crda.yml b/.github/workflows/crda.yml
new file mode 100644
index 0000000..816db83
--- /dev/null
+++ b/.github/workflows/crda.yml
@@ -0,0 +1,126 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow performs a static analysis of your source code using
+# Red Hat CodeReady Dependency Analytics.
+
+# Scans are triggered:
+# 1. On every push to default and protected branches
+# 2. On every Pull Request targeting the default branch
+# 3. On a weekly schedule
+# 4. Manually, on demand, via the "workflow_dispatch" event
+
+# π The CRDA Starter workflow will:
+# - Checkout your repository
+# - Setup the required tool stack
+# - Install the CRDA command line tool
+# - Auto detect the manifest file and install the project's dependencies
+# - Perform the security scan using CRDA
+# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab
+# - Optionally upload the SARIF file as an artifact for the future reference
+
+# βΉοΈ Configure your repository and the workflow with the following steps:
+# 1. Setup the tool stack based on the project's requirement.
+# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack
+# 2. (Optional) CRDA action attempt to detect the language and install the
+# required dependencies for your project. If your project doesn't aligns
+# with the default dependency installation command mentioned here
+# https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# Use the required inputs to setup the same
+# 3. (Optional) CRDA action attempts to detect the manifest file if it is
+# present in the root of the project and named as per the default mentioned
+# here https://github.com/redhat-actions/crda/#3-installing-dependencies.
+# If it deviates from the default, use the required inputs to setup the same
+# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN.
+# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication
+# 5. (Optional) Upload SARIF file as an Artifact to download and view
+# 6. Commit and push the workflow file to your default branch to trigger a workflow run.
+
+# π Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
+
+name: CRDA Scan
+
+# Controls when the workflow will run
+on:
+ # TODO: Customize trigger events based on your DevSecOps processes
+ #
+ # This workflow is made to run with OpenShift starter workflow
+ # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml
+ # However, if you want to run this workflow as a standalone workflow, please
+ # uncomment the 'push' trigger below and configure it based on your requirements.
+ #
+ workflow_call:
+ secrets:
+ CRDA_KEY:
+ required: false
+ SNYK_TOKEN:
+ required: false
+ workflow_dispatch:
+
+ # push:
+ # branches: [ "main" ]
+
+ # pull_request_target is used to securely share secret to the PR's workflow run.
+ # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
+ pull_request_target:
+ branches: [ "main" ]
+ types: [ assigned, opened, synchronize, reopened, labeled, edited ]
+
+permissions:
+ contents: read
+
+jobs:
+ crda-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for redhat-actions/crda to upload SARIF results
+ name: Scan project vulnerabilities with CRDA
+ runs-on: ubuntu-20.04
+ steps:
+
+ - name: Check out repository
+ uses: actions/checkout@v2
+
+ # *******************************************************************
+ # Required: Instructions to setup project
+ # 1. Setup Go, Java, Node.js or Python depending on your project type
+ # 2. Setup Actions are listed below, choose one from them:
+ # - Go: https://github.com/actions/setup-go
+ # - Java: https://github.com/actions/setup-java
+ # - Node.js: https://github.com/actions/setup-node
+ # - Python: https://github.com/actions/setup-python
+ #
+ # Example:
+ # - name: Setup Node
+ # uses: actions/setup-node@v4
+ # with:
+ # node-version: '20'
+
+ # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md
+ - name: Install CRDA CLI
+ uses: redhat-actions/openshift-tools-installer@v1
+ with:
+ source: github
+ github_pat: ${{ github.token }}
+ # Choose the desired version of the CRDA CLI
+ crda: "latest"
+
+ ######################################################################################
+ # https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # By default, CRDA will detect the manifest file and install the required dependencies
+ # using the standard command for the project type.
+ # If your project doesn't aligns with the defaults mentioned in this action, you will
+ # need to set few inputs that are described here:
+ # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies
+ # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand
+ # process to get a SNYK_TOKEN or a CRDA_KEY
+ - name: CRDA Scan
+ id: scan
+ uses: redhat-actions/crda@v1
+ with:
+ crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token
+ # snyk_token: ${{ secrets.SNYK_TOKEN }}
+ # upload_artifact: false # Set this to false to skip artifact upload
diff --git a/.github/workflows/crunch42.yml b/.github/workflows/crunch42.yml
new file mode 100644
index 0000000..ad789b0
--- /dev/null
+++ b/.github/workflows/crunch42.yml
@@ -0,0 +1,58 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow locates REST API file contracts (Swagger or OpenAPI format, v2 and v3, JSON and YAML)
+# and runs 300+ security checks on them using 42Crunch Security Audit technology to uncover
+# potential vulnerabilities related to authentication, authorization as well as data validation.
+#
+# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+#
+# To use this workflow, you need a 42Crunch platform account. If you do not have one, you can contact us
+# from this page: https://42crunch.com/request-demo.
+#
+# 1. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+# to create an API Token on the 42Crunch platform
+#
+# 2. Create an secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+# and store the 42Crunch API Token in that secret. Expected default is API_TOKEN (see the api-token property in the task).
+#
+# If you have any questions or need help, open an issue at: https://support.42crunch.com.
+
+name: "42Crunch REST API Static Security Testing"
+
+# follow standard Code Scanning triggers
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '20 20 * * 4'
+
+permissions:
+ contents: read
+
+jobs:
+ rest-api-static-security-testing:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: 42Crunch REST API Static Security Testing
+ uses: 42Crunch/api-security-audit-action@fc01ea7a89e6268875868f9d89598af7a9899ae0
+ with:
+ # Please create free account at https://platform.42crunch.com/register
+ # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm
+ api-token: ${{ secrets.API_TOKEN }}
+ # Fail if any OpenAPI file scores lower than 75
+ min-score: 75
+ # Upload results to Github code scanning
+ upload-to-code-scanning: true
+ # Github token for uploading the results
+ github-token: ${{ github.token }}
diff --git a/.github/workflows/datree.yml b/.github/workflows/datree.yml
new file mode 100644
index 0000000..539626a
--- /dev/null
+++ b/.github/workflows/datree.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI.
+# The results are then uploaded to GitHub Security Code Scanning.
+#
+# For more information and configurations options, see https://github.com/datreeio/action-datree/
+
+name: Datree
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+
+permissions:
+ contents: read
+
+jobs:
+ datree:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - name: Run Datree policy check
+ continue-on-error: true
+ uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a
+ env:
+ # In order to use the Datree action you will need to have a Datree token.
+ # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token.
+ DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
+ with:
+ # Add the path to the configuration file/s that you would like to test.
+ # See https://github.com/datreeio/action-datree#usage for all available options.
+ path: test-file.yaml
+ # Setting a SARIF output will generate a file named "datree.sarif" containing your test results
+ cliArguments: "-o sarif"
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: datree.sarif
diff --git a/.github/workflows/debricked.yml b/.github/workflows/debricked.yml
new file mode 100644
index 0000000..79b0a07
--- /dev/null
+++ b/.github/workflows/debricked.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+#####################################################################################################################################################################
+# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. #
+# #
+# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com #
+# To learn more about Debricked or contact our team, visit https://debricked.com/ #
+# #
+# To run this workflow, complete the following set-up steps: #
+# #
+# 1. If you donβt have a Debricked account, create one by visiting https://debricked.com/app/en/register #
+# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 #
+# 3. In GitHub, navigate to the repository #
+# 4. Click on βSettingsβ (If you cannot see the βSettingsβ tab, select the dropdown menu, then click βSettingsβ) #
+# 5. In the βSecurityβ section click on βSecrets and variablesβ, then click βActionsβ #
+# 6. In the βSecretsβ tab, click on βNew repository secretβ #
+# 7. In the βNameβ field, type the name of the secret #
+# 8. In the βSecretβ field, enter the value of the secret #
+# 9. Click βAdd secretβ #
+# 10. You should now be ready to use the workflow! #
+#####################################################################################################################################################################
+
+name: Debricked Scan
+
+on:
+ push:
+
+permissions:
+ contents: read
+
+jobs:
+ vulnerabilities-scan:
+ name: Vulnerabilities scan
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - uses: debricked/actions@v3
+ env:
+ DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }}
diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml
new file mode 100644
index 0000000..9dd9867
--- /dev/null
+++ b/.github/workflows/defender-for-devops.yml
@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle.
+# MSDO installs, configures and runs the latest versions of static analysis tools
+# (including, but not limited to, SDL/security and compliance tools).
+#
+# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue,
+# as well as Windows self hosted agents. ubuntu-latest support coming soon.
+#
+# For more information about the action , check out https://github.com/microsoft/security-devops-action
+#
+# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration
+# and provide permission before this can report data back to azure.
+# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+
+name: "Microsoft Defender For Devops"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '39 8 * * 6'
+
+jobs:
+ MSDO:
+ # currently only windows latest is supported
+ runs-on: windows-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - uses: actions/setup-dotnet@v4
+ with:
+ dotnet-version: |
+ 5.0.x
+ 6.0.x
+ - name: Run Microsoft Security DevOps
+ uses: microsoft/security-devops-action@v1.6.0
+ id: msdo
+ - name: Upload results to Security tab
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 0000000..d19e21b
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,39 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable
+# packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
+name: 'Dependency review'
+on:
+ pull_request:
+ branches: [ "main" ]
+
+# If using a dependency submission action in this workflow this permission will need to be set to:
+#
+# permissions:
+# contents: write
+#
+# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
+permissions:
+ contents: read
+ # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
+ pull-requests: write
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Checkout repository'
+ uses: actions/checkout@v4
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@v4
+ # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
+ with:
+ comment-summary-in-pr: always
+ # fail-on-severity: moderate
+ # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
+ # retry-on-snapshot-warnings: true
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
new file mode 100644
index 0000000..600e08c
--- /dev/null
+++ b/.github/workflows/devskim.yml
@@ -0,0 +1,34 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: DevSkim
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '31 19 * * 3'
+
+jobs:
+ lint:
+ name: DevSkim
+ runs-on: ubuntu-20.04
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Run DevSkim scanner
+ uses: microsoft/DevSkim-Action@v1
+
+ - name: Upload DevSkim scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: devskim-results.sarif
diff --git a/.github/workflows/django.yml b/.github/workflows/django.yml
new file mode 100644
index 0000000..9766b45
--- /dev/null
+++ b/.github/workflows/django.yml
@@ -0,0 +1,30 @@
+name: Django CI
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ strategy:
+ max-parallel: 4
+ matrix:
+ python-version: [3.7, 3.8, 3.9]
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v3
+ with:
+ python-version: ${{ matrix.python-version }}
+ - name: Install Dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install -r requirements.txt
+ - name: Run Tests
+ run: |
+ python manage.py test
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000..a960702
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,98 @@
+name: Docker
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+on:
+ schedule:
+ - cron: '25 0 * * *'
+ push:
+ branches: [ "main" ]
+ # Publish semver tags as releases.
+ tags: [ 'v*.*.*' ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ # Use docker.io for Docker Hub if empty
+ REGISTRY: ghcr.io
+ # github.repository as <account>/<repo>
+ IMAGE_NAME: ${{ github.repository }}
+
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ # This is used to complete the identity challenge
+ # with sigstore/fulcio when running outside of PRs.
+ id-token: write
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ # Install the cosign tool except on PR
+ # https://github.com/sigstore/cosign-installer
+ - name: Install cosign
+ if: github.event_name != 'pull_request'
+ uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
+ with:
+ cosign-release: 'v2.2.4'
+
+ # Set up BuildKit Docker container builder to be able to build
+ # multi-platform images and export cache
+ # https://github.com/docker/setup-buildx-action
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
+
+ # Login against a Docker registry except on PR
+ # https://github.com/docker/login-action
+ - name: Log into registry ${{ env.REGISTRY }}
+ if: github.event_name != 'pull_request'
+ uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+ with:
+ registry: ${{ env.REGISTRY }}
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ # Extract metadata (tags, labels) for Docker
+ # https://github.com/docker/metadata-action
+ - name: Extract Docker metadata
+ id: meta
+ uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+ with:
+ images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+ # Build and push Docker image with Buildx (don't push on PR)
+ # https://github.com/docker/build-push-action
+ - name: Build and push Docker image
+ id: build-and-push
+ uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+ with:
+ context: .
+ push: ${{ github.event_name != 'pull_request' }}
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
+
+ # Sign the resulting Docker image digest except on PRs.
+ # This will only write to the public Rekor transparency log when the Docker
+ # repository is public to avoid leaking data. If you would like to publish
+ # transparency data even for private images, pass --force to cosign below.
+ # https://github.com/sigstore/cosign
+ - name: Sign the published Docker image
+ if: ${{ github.event_name != 'pull_request' }}
+ env:
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+ TAGS: ${{ steps.meta.outputs.tags }}
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
+ # This step uses the identity token to provision an ephemeral certificate
+ # against the sigstore community Fulcio instance.
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/.github/workflows/endorlabs.yml b/.github/workflows/endorlabs.yml
new file mode 100644
index 0000000..1364a8f
--- /dev/null
+++ b/.github/workflows/endorlabs.yml
@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Endor Labs
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '33 2 * * 1'
+jobs:
+ scan:
+ permissions:
+ security-events: write # Used to upload sarif artifact to GitHub
+ contents: read # Used to checkout a private repository by actions/checkout.
+ actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required.
+ id-token: write # Used for keyless authentication to Endor Labs
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ #### Package Build Instructions
+ ### Use this section to define the build steps used by your software package.
+ ### Endor Labs builds your software for you where possible but the required build tools must be made available.
+ # - name: Setup Java
+ # uses: actions/setup-java@v4
+ # with:
+ # distribution: 'microsoft'
+ # java-version: '17'
+ # - name: Build Package
+ # run: mvn clean install
+ - name: Endor Labs scan pull request
+ if: github.event_name == 'pull_request'
+ uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
+ with:
+ namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
+ sarif_file: findings.sarif
+ - name: Endor Labs scan monitor
+ if: github.event_name == 'push'
+ uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
+ with:
+ namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
+ ci_run: "false"
+ sarif_file: findings.sarif
+ - name: Upload SARIF to github
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: findings.sarif
diff --git a/.github/workflows/ethicalcheck.yml b/.github/workflows/ethicalcheck.yml
new file mode 100644
index 0000000..1df9efd
--- /dev/null
+++ b/.github/workflows/ethicalcheck.yml
@@ -0,0 +1,69 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# EthicalCheck addresses the critical need to continuously security test APIs in development and in production.
+
+# EthicalCheck provides the industryβs only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list.
+# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities.
+
+# You develop the application and API, we bring complete and continuous security testing to you, accelerating development.
+
+# Know your API and Applications are secure with EthicalCheck β our free & automated API security testing service.
+
+# How EthicalCheck works?
+# EthicalCheck functions in the following simple steps.
+# 1. Security Testing.
+# Provide your OpenAPI specification or start with a public Postman collection URL.
+# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing.
+# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc.
+
+# 2. Reporting.
+# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities.
+# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging.
+
+
+# This is a starter workflow to help you get started with EthicalCheck Actions
+
+name: EthicalCheck-Workflow
+
+# Controls when the workflow will run
+on:
+ # Triggers the workflow on push or pull request events but only for the "main" branch
+ # Customize trigger events based on your DevSecOps processes.
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '29 8 * * 5'
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ Trigger_EthicalCheck:
+ permissions:
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: EthicalCheck Free & Automated API Security Testing Service
+ uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641
+ with:
+ # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL.
+ oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs"
+ # The email address to which the penetration test report will be sent.
+ email: "xxx@apisec.ai"
+ sarif-result-file: "ethicalcheck-results.sarif"
+
+ - name: Upload sarif file to repository
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: ./ethicalcheck-results.sarif
+
diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml
new file mode 100644
index 0000000..d4872a6
--- /dev/null
+++ b/.github/workflows/fortify.yml
@@ -0,0 +1,84 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+################################################################################################################################################
+# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your #
+# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. #
+# #
+# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template #
+# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security #
+# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product #
+# documentation. If you need additional assistance, please contact Fortify support. #
+################################################################################################################################################
+
+name: Fortify AST Scan
+
+# Customize trigger events based on your DevSecOps process and/or policy
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '44 7 * * 4'
+ workflow_dispatch:
+
+jobs:
+ Fortify-AST-Scan:
+ # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc).
+ runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+
+ steps:
+ # Check out source code
+ - name: Check Out Source Code
+ uses: actions/checkout@v4
+
+ # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner.
+ - name: Setup Java
+ uses: actions/setup-java@v4
+ with:
+ java-version: 17
+ distribution: 'temurin'
+
+ # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then
+ # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is
+ # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools
+ # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for
+ # details.
+ - name: Run FoD SAST Scan
+ uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418
+ with:
+ sast-scan: true
+ env:
+ ### Required configuration when integrating with Fortify on Demand
+ FOD_URL: https://ams.fortify.com
+ FOD_TENANT: ${{secrets.FOD_TENANT}}
+ FOD_USER: ${{secrets.FOD_USER}}
+ FOD_PASSWORD: ${{secrets.FOD_PAT}}
+ ### Optional configuration when integrating with Fortify on Demand
+ # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if
+ # Debricked SCA scan is enabled on Fortify on Demand
+ # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options
+ # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: <org>/<repo>:<branch>; may
+ # replace app+release name with numeric release ID
+ # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
+ # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
+ ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
+ # SSC_URL: ${{secrets.SSC_URL}} # SSC URL
+ # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken
+ # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token
+ # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan;
+ # usually defined as organization or repo variable
+ ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral
+ # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options
+ # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: <org>/<repo>:<branch>
+ # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options
+ # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true'
+ # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard
diff --git a/.github/workflows/gatsby.yml b/.github/workflows/gatsby.yml
new file mode 100644
index 0000000..9aaecfe
--- /dev/null
+++ b/.github/workflows/gatsby.yml
@@ -0,0 +1,97 @@
+# Sample workflow for building and deploying a Gatsby site to GitHub Pages
+#
+# To get started with Gatsby see: https://www.gatsbyjs.com/docs/quick-start/
+#
+name: Deploy Gatsby site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+# Default to bash
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
+ exit 0
+ else
+ echo "Unable to determine package manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v4
+ with:
+ node-version: "20"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v5
+ with:
+ # Automatically inject pathPrefix in your Gatsby configuration file.
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: gatsby
+ - name: Restore cache
+ uses: actions/cache@v4
+ with:
+ path: |
+ public
+ .cache
+ key: ${{ runner.os }}-gatsby-build-${{ hashFiles('public') }}
+ restore-keys: |
+ ${{ runner.os }}-gatsby-build-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Build with Gatsby
+ env:
+ PREFIX_PATHS: 'true'
+ run: ${{ steps.detect-package-manager.outputs.manager }} run build
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./public
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..35c829b
--- /dev/null
+++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+ workflow_dispatch:
+ release:
+ types: [created]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ outputs:
+ digests: ${{ steps.hash.outputs.digests }}
+
+ steps:
+ - uses: actions/checkout@v4
+
+ # ========================================================
+ #
+ # Step 1: Build your artifacts.
+ #
+ # ========================================================
+ - name: Build artifacts
+ run: |
+ # These are some amazing artifacts.
+ echo "artifact1" > artifact1
+ echo "artifact2" > artifact2
+
+ # ========================================================
+ #
+ # Step 2: Add a step to generate the provenance subjects
+ # as shown below. Update the sha256 sum arguments
+ # to include all binaries that you generate
+ # provenance for.
+ #
+ # ========================================================
+ - name: Generate subject for provenance
+ id: hash
+ run: |
+ set -euo pipefail
+
+ # List the artifacts the provenance will refer to.
+ files=$(ls artifact*)
+ # Generate the subjects (base64 encoded).
+ echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+ provenance:
+ needs: [build]
+ permissions:
+ actions: read # To read the workflow path.
+ id-token: write # To sign the provenance.
+ contents: write # To add assets to a release.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+ with:
+ base64-subjects: "${{ needs.build.outputs.digests }}"
+ upload-assets: true # Optional: Upload to a new release
diff --git a/.github/workflows/google-cloudrun-source.yml b/.github/workflows/google-cloudrun-source.yml
new file mode 100644
index 0000000..f0191b9
--- /dev/null
+++ b/.github/workflows/google-cloudrun-source.yml
@@ -0,0 +1,75 @@
+# This workflow will deploy source code on Cloud Run when a commit is pushed to
+# the "main" branch.
+#
+# To configure this workflow:
+#
+# 1. Enable the following Google Cloud APIs:
+#
+# - Artifact Registry (artifactregistry.googleapis.com)
+# - Cloud Build (cloudbuild.googleapis.com)
+# - Cloud Run (run.googleapis.com)
+# - IAM Credentials API (iamcredentials.googleapis.com)
+#
+# You can learn more about enabling APIs at
+# https://support.google.com/googleapi/answer/6158841.
+#
+# 2. Create and configure a Workload Identity Provider for GitHub:
+# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation.
+#
+# Depending on how you authenticate, you will need to grant an IAM principal
+# permissions on Google Cloud:
+#
+# - Artifact Registry Administrator (roles/artifactregistry.admin)
+# - Cloud Run Source Developer (roles/run.sourceDeveloper)
+#
+# You can learn more about setting IAM permissions at
+# https://cloud.google.com/iam/docs/manage-access-other-resources.
+#
+# 3. Change the values in the "env" block to match your values.
+
+name: 'Deploy to Cloud Run from Source'
+
+on:
+ push:
+ branches:
+ - '"main"'
+
+env:
+ PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID
+ REGION: 'us-central1' # TODO: update to your region
+ SERVICE: 'my-service' # TODO: update to your service name
+
+jobs:
+ deploy:
+ runs-on: 'ubuntu-latest'
+
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ steps:
+ - name: 'Checkout'
+ uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
+
+ # Configure Workload Identity Federation and generate an access token.
+ #
+ # See https://github.com/google-github-actions/auth for more options,
+ # including authenticating via a JSON credentials file.
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
+ with:
+ workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider
+
+ - name: 'Deploy to Cloud Run'
+ uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2
+ with:
+ service: '${{ env.SERVICE }}'
+ region: '${{ env.REGION }}'
+ # NOTE: If using a different source folder, update the image name below:
+ source: './'
+
+ # If required, use the Cloud Run URL output in later steps
+ - name: 'Show output'
+ run: |-
+ echo ${{ steps.deploy.outputs.url }}
diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml
new file mode 100644
index 0000000..0b5c7d1
--- /dev/null
+++ b/.github/workflows/google.yml
@@ -0,0 +1,116 @@
+# This workflow will build a docker container, publish it to Google Container
+# Registry, and deploy it to GKE when there is a push to the "main"
+# branch.
+#
+# To configure this workflow:
+#
+# 1. Enable the following Google Cloud APIs:
+#
+# - Artifact Registry (artifactregistry.googleapis.com)
+# - Google Kubernetes Engine (container.googleapis.com)
+# - IAM Credentials API (iamcredentials.googleapis.com)
+#
+# You can learn more about enabling APIs at
+# https://support.google.com/googleapi/answer/6158841.
+#
+# 2. Ensure that your repository contains the necessary configuration for your
+# Google Kubernetes Engine cluster, including deployment.yml,
+# kustomization.yml, service.yml, etc.
+#
+# 3. Create and configure a Workload Identity Provider for GitHub:
+# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation.
+#
+# Depending on how you authenticate, you will need to grant an IAM principal
+# permissions on Google Cloud:
+#
+# - Artifact Registry Administrator (roles/artifactregistry.admin)
+# - Kubernetes Engine Developer (roles/container.developer)
+#
+# You can learn more about setting IAM permissions at
+# https://cloud.google.com/iam/docs/manage-access-other-resources
+#
+# 5. Change the values in the "env" block to match your values.
+
+name: 'Build and Deploy to GKE'
+
+on:
+ push:
+ branches:
+ - '"main"'
+
+env:
+ PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID
+ GAR_LOCATION: 'us-central1' # TODO: update to your region
+ GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name
+ GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone
+ DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name
+ REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name
+ IMAGE: 'static-site'
+ WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider
+
+jobs:
+ setup-build-publish-deploy:
+ name: 'Setup, Build, Publish, and Deploy'
+ runs-on: 'ubuntu-latest'
+ environment: 'production'
+
+ permissions:
+ contents: 'read'
+ id-token: 'write'
+
+ steps:
+ - name: 'Checkout'
+ uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4
+
+ # Configure Workload Identity Federation and generate an access token.
+ #
+ # See https://github.com/google-github-actions/auth for more options,
+ # including authenticating via a JSON credentials file.
+ - id: 'auth'
+ name: 'Authenticate to Google Cloud'
+ uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2
+ with:
+ workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}'
+
+ # Authenticate Docker to Google Cloud Artifact Registry
+ - name: 'Docker Auth'
+ uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3
+ with:
+ username: 'oauth2accesstoken'
+ password: '${{ steps.auth.outputs.auth_token }}'
+ registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev'
+
+ # Get the GKE credentials so we can deploy to the cluster
+ - name: 'Set up GKE credentials'
+ uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2
+ with:
+ cluster_name: '${{ env.GKE_CLUSTER }}'
+ location: '${{ env.GKE_ZONE }}'
+
+ # Build the Docker image
+ - name: 'Build and push Docker container'
+ run: |-
+ DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}"
+
+ docker build \
+ --tag "${DOCKER_TAG}" \
+ --build-arg GITHUB_SHA="${GITHUB_SHA}" \
+ --build-arg GITHUB_REF="${GITHUB_REF}" \
+ .
+
+ docker push "${DOCKER_TAG}"
+
+ # Set up kustomize
+ - name: 'Set up Kustomize'
+ run: |-
+ curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz
+ chmod u+x ./kustomize
+
+ # Deploy the Docker image to the GKE cluster
+ - name: 'Deploy to GKE'
+ run: |-
+ # replacing the image name in the k8s template
+ ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA
+ ./kustomize build . | kubectl apply -f -
+ kubectl rollout status deployment/$DEPLOYMENT_NAME
+ kubectl get services -o wide
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
new file mode 100644
index 0000000..87d5ecb
--- /dev/null
+++ b/.github/workflows/gradle.yml
@@ -0,0 +1,67 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle
+
+name: Java CI with Gradle
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up JDK 17
+ uses: actions/setup-java@v4
+ with:
+ java-version: '17'
+ distribution: 'temurin'
+
+ # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
+ # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
+ - name: Setup Gradle
+ uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
+
+ - name: Build with Gradle Wrapper
+ run: ./gradlew build
+
+ # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html).
+ # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
+ #
+ # - name: Setup Gradle
+ # uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
+ # with:
+ # gradle-version: '8.9'
+ #
+ # - name: Build with Gradle 8.9
+ # run: gradle build
+
+ dependency-submission:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: write
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up JDK 17
+ uses: actions/setup-java@v4
+ with:
+ java-version: '17'
+ distribution: 'temurin'
+
+ # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
+ # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
+ - name: Generate and submit dependency graph
+ uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0
diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml
new file mode 100644
index 0000000..4677434
--- /dev/null
+++ b/.github/workflows/greetings.yml
@@ -0,0 +1,16 @@
+name: Greetings
+
+on: [pull_request_target, issues]
+
+jobs:
+ greeting:
+ runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ pull-requests: write
+ steps:
+ - uses: actions/first-interaction@v1
+ with:
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ issue-message: "Message that will be displayed on users' first issue"
+ pr-message: "Message that will be displayed on users' first pull request"
diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml
new file mode 100644
index 0000000..a8cf471
--- /dev/null
+++ b/.github/workflows/hugo.yml
@@ -0,0 +1,74 @@
+# Sample workflow for building and deploying a Hugo site to GitHub Pages
+name: Deploy Hugo site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+# Default to bash
+defaults:
+ run:
+ shell: bash
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ env:
+ HUGO_VERSION: 0.128.0
+ steps:
+ - name: Install Hugo CLI
+ run: |
+ wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
+ && sudo dpkg -i ${{ runner.temp }}/hugo.deb
+ - name: Install Dart Sass
+ run: sudo snap install dart-sass
+ - name: Checkout
+ uses: actions/checkout@v4
+ with:
+ submodules: recursive
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v5
+ - name: Install Node.js dependencies
+ run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
+ - name: Build with Hugo
+ env:
+ HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache
+ HUGO_ENVIRONMENT: production
+ run: |
+ hugo \
+ --minify \
+ --baseURL "${{ steps.pages.outputs.base_url }}/"
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./public
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/ibm.yml b/.github/workflows/ibm.yml
new file mode 100644
index 0000000..f5e8cd8
--- /dev/null
+++ b/.github/workflows/ibm.yml
@@ -0,0 +1,75 @@
+# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the "main" branch.
+#
+# To configure this workflow:
+#
+# 1. Ensure that your repository contains a Dockerfile
+# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY
+# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT
+
+name: Build and Deploy to IKS
+
+on:
+ push:
+ branches: [ "main" ]
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+ GITHUB_SHA: ${{ github.sha }}
+ IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }}
+ IBM_CLOUD_REGION: us-south
+ ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }}
+ REGISTRY_HOSTNAME: us.icr.io
+ IMAGE_NAME: iks-test
+ IKS_CLUSTER: example-iks-cluster-name-or-id
+ DEPLOYMENT_NAME: iks-test
+ PORT: 5001
+
+jobs:
+ setup-build-publish-deploy:
+ name: Setup, Build, Publish, and Deploy
+ runs-on: ubuntu-latest
+ environment: production
+ steps:
+
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ # Download and Install IBM Cloud CLI
+ - name: Install IBM Cloud CLI
+ run: |
+ curl -fsSL https://clis.cloud.ibm.com/install/linux | sh
+ ibmcloud --version
+ ibmcloud config --check-version=false
+ ibmcloud plugin install -f kubernetes-service
+ ibmcloud plugin install -f container-registry
+
+ # Authenticate with IBM Cloud CLI
+ - name: Authenticate with IBM Cloud CLI
+ run: |
+ ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default
+ ibmcloud cr region-set "${IBM_CLOUD_REGION}"
+ ibmcloud cr login
+
+ # Build the Docker image
+ - name: Build with Docker
+ run: |
+ docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \
+ --build-arg GITHUB_SHA="$GITHUB_SHA" \
+ --build-arg GITHUB_REF="$GITHUB_REF" .
+
+ # Push the image to IBM Container Registry
+ - name: Push the image to ICR
+ run: |
+ docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA
+
+ # Deploy the Docker image to the IKS cluster
+ - name: Deploy to IKS
+ run: |
+ ibmcloud ks cluster config --cluster $IKS_CLUSTER
+ kubectl config current-context
+ kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml
+ kubectl apply -f deployment.yaml
+ kubectl rollout status deployment/$DEPLOYMENT_NAME
+ kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml
+ kubectl apply -f service.yaml
+ kubectl get services -o wide
diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml
new file mode 100644
index 0000000..9827103
--- /dev/null
+++ b/.github/workflows/ios.yml
@@ -0,0 +1,44 @@
+name: iOS starter workflow
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ build:
+ name: Build and Test default scheme using any available iPhone simulator
+ runs-on: macos-latest
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Set Default Scheme
+ run: |
+ scheme_list=$(xcodebuild -list -json | tr -d "\n")
+ default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]")
+ echo $default | cat >default
+ echo Using default scheme: $default
+ - name: Build
+ env:
+ scheme: ${{ 'default' }}
+ platform: ${{ 'iOS Simulator' }}
+ run: |
+ # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
+ if [ $scheme = default ]; then scheme=$(cat default); fi
+ if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
+ file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
+ xcodebuild build-for-testing -scheme "$scheme" -"$filetype_parameter" "$file_to_build" -destination "platform=$platform,name=$device"
+ - name: Test
+ env:
+ scheme: ${{ 'default' }}
+ platform: ${{ 'iOS Simulator' }}
+ run: |
+ # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959)
+ device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"`
+ if [ $scheme = default ]; then scheme=$(cat default); fi
+ if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi
+ file_to_build=`echo $file_to_build | awk '{$1=$1;print}'`
+ xcodebuild test-without-building -scheme "$scheme" -"$filetype_parameter" "$file_to_build" -destination "platform=$platform,name=$device"
diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
new file mode 100644
index 0000000..e31d81c
--- /dev/null
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -0,0 +1,51 @@
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Setup Pages
+ uses: actions/configure-pages@v5
+ - name: Build with Jekyll
+ uses: actions/jekyll-build-pages@v1
+ with:
+ source: ./
+ destination: ./_site
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml
new file mode 100644
index 0000000..68520b5
--- /dev/null
+++ b/.github/workflows/jekyll.yml
@@ -0,0 +1,64 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0
+ with:
+ ruby-version: '3.1' # Not needed with a .ruby-version file
+ bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+ cache-version: 0 # Increment this number if you need to re-download cached gems
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v5
+ - name: Build with Jekyll
+ # Outputs to the './_site' directory by default
+ run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
+ env:
+ JEKYLL_ENV: production
+ - name: Upload artifact
+ # Automatically uploads an artifact from the './_site' directory by default
+ uses: actions/upload-pages-artifact@v3
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
new file mode 100644
index 0000000..4613569
--- /dev/null
+++ b/.github/workflows/label.yml
@@ -0,0 +1,22 @@
+# This workflow will triage pull requests and apply a label based on the
+# paths that are modified in the pull request.
+#
+# To use this workflow, you will need to set up a .github/labeler.yml
+# file with configuration. For more information, see:
+# https://github.com/actions/labeler
+
+name: Labeler
+on: [pull_request_target]
+
+jobs:
+ label:
+
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ pull-requests: write
+
+ steps:
+ - uses: actions/labeler@v4
+ with:
+ repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml
new file mode 100644
index 0000000..11b2e35
--- /dev/null
+++ b/.github/workflows/manual.yml
@@ -0,0 +1,32 @@
+# This is a basic workflow that is manually triggered
+
+name: Manual workflow
+
+# Controls when the action will run. Workflow runs when manually triggered using the UI
+# or API.
+on:
+ workflow_dispatch:
+ # Inputs the workflow accepts.
+ inputs:
+ name:
+ # Friendly description to be shown in the UI instead of 'name'
+ description: 'Person to greet'
+ # Default value if no value is explicitly provided
+ default: 'World'
+ # Input has to be provided for the workflow to run
+ required: true
+ # The data type of the input
+ type: string
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+ # This workflow contains a single job called "greet"
+ greet:
+ # The type of runner that the job will run on
+ runs-on: ubuntu-latest
+
+ # Steps represent a sequence of tasks that will be executed as part of the job
+ steps:
+ # Runs a single command using the runners shell
+ - name: Send greeting
+ run: echo "Hello ${{ inputs.name }}"
diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml
new file mode 100644
index 0000000..38e5f36
--- /dev/null
+++ b/.github/workflows/mdbook.yml
@@ -0,0 +1,60 @@
+# Sample workflow for building and deploying a mdBook site to GitHub Pages
+#
+# To get started with mdBook see: https://rust-lang.github.io/mdBook/index.html
+#
+name: Deploy mdBook site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ env:
+ MDBOOK_VERSION: 0.4.36
+ steps:
+ - uses: actions/checkout@v4
+ - name: Install mdBook
+ run: |
+ curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh
+ rustup update
+ cargo install --version ${MDBOOK_VERSION} mdbook
+ - name: Setup Pages
+ id: pages
+ uses: actions/configure-pages@v5
+ - name: Build with mdBook
+ run: mdbook build
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./book
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml
new file mode 100644
index 0000000..43ea450
--- /dev/null
+++ b/.github/workflows/msbuild.yml
@@ -0,0 +1,44 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: MSBuild
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+env:
+ # Path to the solution file relative to the root of the project.
+ SOLUTION_FILE_PATH: .
+
+ # Configuration type to build.
+ # You can convert this to a build matrix if you need coverage of multiple configuration types.
+ # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
+ BUILD_CONFIGURATION: Release
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+ runs-on: windows-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Add MSBuild to PATH
+ uses: microsoft/setup-msbuild@v1.0.2
+
+ - name: Restore NuGet packages
+ working-directory: ${{env.GITHUB_WORKSPACE}}
+ run: nuget restore ${{env.SOLUTION_FILE_PATH}}
+
+ - name: Build
+ working-directory: ${{env.GITHUB_WORKSPACE}}
+ # Add additional options to the MSBuild command line here (like platform or verbosity level).
+ # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
+ run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}}
diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml
new file mode 100644
index 0000000..b77805d
--- /dev/null
+++ b/.github/workflows/msvc.yml
@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Find more information at:
+# https://github.com/microsoft/msvc-code-analysis-action
+
+name: Microsoft C++ Code Analysis
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '19 10 * * 6'
+
+env:
+ # Path to the CMake build directory.
+ build: '${{ github.workspace }}/build'
+
+permissions:
+ contents: read
+
+jobs:
+ analyze:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ name: Analyze
+ runs-on: windows-latest
+
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+
+ - name: Configure CMake
+ run: cmake -B ${{ env.build }}
+
+ # Build is not required unless generated source files are used
+ # - name: Build CMake
+ # run: cmake --build ${{ env.build }}
+
+ - name: Initialize MSVC Code Analysis
+ uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99
+ # Provide a unique ID to access the sarif output path
+ id: run-analysis
+ with:
+ cmakeBuildDirectory: ${{ env.build }}
+ # Ruleset file that will determine what checks will be run
+ ruleset: NativeRecommendedRules.ruleset
+
+ # Upload SARIF file to GitHub Code Scanning Alerts
+ - name: Upload SARIF to GitHub
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: ${{ steps.run-analysis.outputs.sarif }}
+
+ # Upload SARIF file as an Artifact to download and view
+ # - name: Upload SARIF as an Artifact
+ # uses: actions/upload-artifact@v3
+ # with:
+ # name: sarif-file
+ # path: ${{ steps.run-analysis.outputs.sarif }}
diff --git a/.github/workflows/neuralegion.yml b/.github/workflows/neuralegion.yml
new file mode 100644
index 0000000..bbb7568
--- /dev/null
+++ b/.github/workflows/neuralegion.yml
@@ -0,0 +1,175 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Run a Nexploit Scan
+# This action runs a new security scan in Nexploit, or reruns an existing one.
+# Build Secure Apps & APIs. Fast.
+# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.
+# Automatically Tests Every Aspect of Your Apps & APIs
+# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports
+# Seamlessly integrates with the Tools and Workflows You Already Use
+#
+# NeuraLegion works with your existing CI/CD pipelines β trigger scans on every commit, pull request or build with unit testing.
+# Spin-Up, Configure and Control Scans with Code
+# One file. One command. One scan. No UI needed.
+#
+# Super-Fast Scans
+#
+# Interacts with applications and APIs, instead of just crawling them and guessing.
+# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.
+#
+# No False Positives
+#
+# Stop chasing ghosts and wasting time. NeuraLegion doesnβt return false positives, so you can focus on releasing code.
+#
+# Comprehensive Security Testing
+#
+# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.
+#
+# More information is available on NeuraLegionβs:
+# * [Website](https://www.neuralegion.com/)
+# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart)
+# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw)
+# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+)
+#
+# Inputs
+#
+# `name`
+#
+# **Required**. Scan name.
+#
+# _Example:_ `name: GitHub scan ${{ github.sha }}`
+#
+# `api_token`
+#
+# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens).
+#
+# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}`
+#
+# `restart_scan`
+#
+# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
+#
+# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
+#
+# `discovery_types`
+#
+# **Required**. Array of discovery types. The following types are available:
+# * `archive` - uses an uploaded HAR-file for a scan
+# * `crawler` - uses a crawler to define the attack surface for a scan
+# * `oas` - uses an uploaded OpenAPI schema for a scan <br>
+# If no discovery type is specified, `crawler` is applied by default.
+#
+# _Example:_
+#
+# ```yml
+# discovery_types: |
+# [ "crawler", "archive" ]
+# ```
+#
+# `file_id`
+#
+# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login).
+#
+# _Example:_
+#
+# ```
+# FILE_ID=$(nexploit-cli archive:upload \
+# --token ${{ secrets.NEXPLOIT_TOKEN }} \
+# --discard true \
+# ./example.har)
+# ```
+#
+# `crawler_urls`
+#
+# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface.
+#
+# _Example:_
+#
+# ```
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# ```
+#
+# `hosts_filter`
+#
+# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
+#
+# Outputs
+#
+# `url`
+#
+# Url of the resulting scan
+#
+# `id`
+#
+# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions:
+# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues)
+# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan)
+#
+# Example usage
+#
+# Start a new scan with parameters
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# discovery_types: |
+# [ "crawler", "archive" ]
+# crawler_urls: |
+# [ "http://vulnerable-bank.com" ]
+# file_id: LiYknMYSdbSZbqgMaC9Sj
+# hosts_filter: |
+# [ ]
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+# ```
+#
+# Restart an existing scan
+#
+# ```yml
+# steps:
+# - name: Start Nexploit Scan
+# id: start
+# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+# with:
+# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
+# name: GitHub scan ${{ github.sha }}
+# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ
+# - name: Get the output scan url
+# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
+
+
+name: "NeuraLegion"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '39 0 * * 4'
+
+jobs:
+ neuralegion_scan:
+ runs-on: ubuntu-18.04
+ name: A job to run a Nexploit scan
+ steps:
+ - uses: actions/checkout@v2
+ - name: Start Nexploit Scan π
+ id: start
+ uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
+ with:
+ api_token: ${{ secrets.NEURALEGION_TOKEN }}
+ name: GitHub scan ${{ github.sha }}
+ discovery_types: |
+ [ "crawler" ]
+ crawler_urls: |
+ [ "https://brokencrystals.com" ] # βοΈ Update this to the url you wish to scan
diff --git a/.github/workflows/nextjs.yml b/.github/workflows/nextjs.yml
new file mode 100644
index 0000000..ed74736
--- /dev/null
+++ b/.github/workflows/nextjs.yml
@@ -0,0 +1,93 @@
+# Sample workflow for building and deploying a Next.js site to GitHub Pages
+#
+# To get started with Next.js see: https://nextjs.org/docs/getting-started
+#
+name: Deploy Next.js site to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+jobs:
+ # Build job
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Detect package manager
+ id: detect-package-manager
+ run: |
+ if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+ echo "manager=yarn" >> $GITHUB_OUTPUT
+ echo "command=install" >> $GITHUB_OUTPUT
+ echo "runner=yarn" >> $GITHUB_OUTPUT
+ exit 0
+ elif [ -f "${{ github.workspace }}/package.json" ]; then
+ echo "manager=npm" >> $GITHUB_OUTPUT
+ echo "command=ci" >> $GITHUB_OUTPUT
+ echo "runner=npx --no-install" >> $GITHUB_OUTPUT
+ exit 0
+ else
+ echo "Unable to determine package manager"
+ exit 1
+ fi
+ - name: Setup Node
+ uses: actions/setup-node@v4
+ with:
+ node-version: "20"
+ cache: ${{ steps.detect-package-manager.outputs.manager }}
+ - name: Setup Pages
+ uses: actions/configure-pages@v5
+ with:
+ # Automatically inject basePath in your Next.js configuration file and disable
+ # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized).
+ #
+ # You may remove this line if you want to manage the configuration yourself.
+ static_site_generator: next
+ - name: Restore cache
+ uses: actions/cache@v4
+ with:
+ path: |
+ .next/cache
+ # Generate a new cache whenever packages or source files change.
+ key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
+ # If source files changed but packages didn't, rebuild from a prior cache.
+ restore-keys: |
+ ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
+ - name: Install dependencies
+ run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+ - name: Build with Next.js
+ run: ${{ steps.detect-package-manager.outputs.runner }} next build
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: ./out
+
+ # Deployment job
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/nowsecure-mobile-sbom.yml b/.github/workflows/nowsecure-mobile-sbom.yml
new file mode 100644
index 0000000..a1c7e1f
--- /dev/null
+++ b/.github/workflows/nowsecure-mobile-sbom.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# NowSecure: The Mobile Security Experts <https://www.nowsecure.com/>.
+#
+# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer,
+# you can find it in NowSecure Platform.
+#
+# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access:
+# <https://bit.ly/ns-git-sbom>.
+#
+# Instructions:
+#
+# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and
+# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit
+# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub".
+#
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Dependency graph" tab in the "Insights" pane once the action has run.
+
+name: "NowSecure Mobile SBOM"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '39 4 * * 6'
+
+permissions:
+ contents: read
+
+jobs:
+ nowsecure:
+ name: NowSecure Mobile SBOM
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Build your application
+ run: ./gradlew assembleDebug # Update this to build your Android or iOS application
+
+ - name: NowSecure upload app
+ uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c
+ with:
+ token: ${{ secrets.NS_TOKEN }}
+ app_file: app-debug.apk # Update this to a path to your .ipa or .apk
+ group_id: {{ groupId }} # Update this to your desired Platform group ID
diff --git a/.github/workflows/npm-grunt.yml b/.github/workflows/npm-grunt.yml
new file mode 100644
index 0000000..5ef7a9a
--- /dev/null
+++ b/.github/workflows/npm-grunt.yml
@@ -0,0 +1,28 @@
+name: NodeJS with Grunt
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+
+ strategy:
+ matrix:
+ node-version: [18.x, 20.x, 22.x]
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v4
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Build
+ run: |
+ npm install
+ grunt
diff --git a/.github/workflows/openshift.yml b/.github/workflows/openshift.yml
new file mode 100644
index 0000000..f4e69a9
--- /dev/null
+++ b/.github/workflows/openshift.yml
@@ -0,0 +1,202 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# π The OpenShift Starter workflow will:
+# - Checkout your repository
+# - Perform a container image build
+# - Push the built image to the GitHub Container Registry (GHCR)
+# - Log in to your OpenShift cluster
+# - Create an OpenShift app from the image and expose it to the internet
+
+# βΉοΈ Configure your repository and the workflow with the following steps:
+# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try
+# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to:
+# - https://github.com/redhat-actions/oc-login#readme
+# - https://docs.github.com/en/actions/reference/encrypted-secrets
+# - https://cli.github.com/manual/gh_secret_set
+# 3. (Optional) Edit the top-level 'env' section as marked with 'ποΈ' if the defaults are not suitable for your project.
+# 4. (Optional) Edit the build-image step to build your project.
+# The default build type is by using a Dockerfile at the root of the repository,
+# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build.
+# 5. Commit and push the workflow file to your default branch to trigger a workflow run.
+
+# π Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback.
+
+name: OpenShift
+
+env:
+ # ποΈ EDIT your repository secrets to log into your OpenShift cluster and set up the context.
+ # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values.
+ # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions
+ OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }}
+ OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }}
+ # ποΈ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace.
+ OPENSHIFT_NAMESPACE: ""
+
+ # ποΈ EDIT to set a name for your OpenShift app, or a default one will be generated below.
+ APP_NAME: ""
+
+ # ποΈ EDIT with the port your application should be accessible on.
+ # If the container image exposes *exactly one* port, this can be left blank.
+ # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app
+ APP_PORT: ""
+
+ # ποΈ EDIT to change the image registry settings.
+ # Registries such as GHCR, Quay.io, and Docker Hub are supported.
+ IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+ IMAGE_REGISTRY_USER: ${{ github.actor }}
+ IMAGE_REGISTRY_PASSWORD: ${{ github.token }}
+
+ # ποΈ EDIT to specify custom tags for the container image, or default tags will be generated below.
+ IMAGE_TAGS: ""
+
+on:
+ # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
+ workflow_dispatch:
+ push:
+ # Edit to the branch(es) you want to build and deploy on each push.
+ branches: [ "main" ]
+
+jobs:
+ # ποΈ EDIT if you want to run vulnerability check on your project before deploying
+ # the application. Please uncomment the below CRDA scan job and configure to run it in
+ # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md
+ #
+ # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab.
+ # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows
+
+ #crda-scan:
+ # uses: ./.github/workflows/crda.yml
+ # secrets:
+ # CRDA_KEY: ${{ secrets.CRDA_KEY }}
+ # # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY
+
+ openshift-ci-cd:
+ # ποΈ Uncomment this if you are using CRDA scan step above
+ # needs: crda-scan
+ name: Build and deploy to OpenShift
+ runs-on: ubuntu-20.04
+ environment: production
+
+ outputs:
+ ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+ SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
+
+ steps:
+ - name: Check for required secrets
+ uses: actions/github-script@v6
+ with:
+ script: |
+ const secrets = {
+ OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`,
+ OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`,
+ };
+
+ const GHCR = "ghcr.io";
+ if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) {
+ core.info(`Image registry is ${GHCR} - no registry password required`);
+ }
+ else {
+ core.info("A registry password is required");
+ secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`;
+ }
+
+ const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => {
+ if (value.length === 0) {
+ core.error(`Secret "${name}" is not set`);
+ return true;
+ }
+ core.info(`βοΈ Secret "${name}" is set`);
+ return false;
+ });
+
+ if (missingSecrets.length > 0) {
+ core.setFailed(`β At least one required secret is not set in the repository. \n` +
+ "You can add it using:\n" +
+ "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" +
+ "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" +
+ "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example");
+ }
+ else {
+ core.info(`β
All the required secrets are set`);
+ }
+
+ - name: Check out repository
+ uses: actions/checkout@v4
+
+ - name: Determine app name
+ if: env.APP_NAME == ''
+ run: |
+ echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV
+
+ - name: Determine image tags
+ if: env.IMAGE_TAGS == ''
+ run: |
+ echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV
+
+ # https://github.com/redhat-actions/buildah-build#readme
+ - name: Build from Dockerfile
+ id: build-image
+ uses: redhat-actions/buildah-build@v2
+ with:
+ image: ${{ env.APP_NAME }}
+ tags: ${{ env.IMAGE_TAGS }}
+
+ # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs
+ # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build
+ # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root.
+ dockerfiles: |
+ ./Dockerfile
+
+ # https://github.com/redhat-actions/push-to-registry#readme
+ - name: Push to registry
+ id: push-image
+ uses: redhat-actions/push-to-registry@v2
+ with:
+ image: ${{ steps.build-image.outputs.image }}
+ tags: ${{ steps.build-image.outputs.tags }}
+ registry: ${{ env.IMAGE_REGISTRY }}
+ username: ${{ env.IMAGE_REGISTRY_USER }}
+ password: ${{ env.IMAGE_REGISTRY_PASSWORD }}
+
+ # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }}
+
+ - name: Install oc
+ uses: redhat-actions/openshift-tools-installer@v1
+ with:
+ oc: 4
+
+ # https://github.com/redhat-actions/oc-login#readme
+ - name: Log in to OpenShift
+ uses: redhat-actions/oc-login@v1
+ with:
+ openshift_server_url: ${{ env.OPENSHIFT_SERVER }}
+ openshift_token: ${{ env.OPENSHIFT_TOKEN }}
+ insecure_skip_tls_verify: true
+ namespace: ${{ env.OPENSHIFT_NAMESPACE }}
+
+ # This step should create a deployment, service, and route to run your app and expose it to the internet.
+ # https://github.com/redhat-actions/oc-new-app#readme
+ - name: Create and expose app
+ id: deploy-and-expose
+ uses: redhat-actions/oc-new-app@v1
+ with:
+ app_name: ${{ env.APP_NAME }}
+ image: ${{ steps.push-image.outputs.registry-path }}
+ namespace: ${{ env.OPENSHIFT_NAMESPACE }}
+ port: ${{ env.APP_PORT }}
+
+ - name: Print application URL
+ env:
+ ROUTE: ${{ steps.deploy-and-expose.outputs.route }}
+ SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }}
+ run: |
+ [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1)
+ echo
+ echo "======================== Your application is available at: ========================"
+ echo ${{ env.ROUTE }}
+ echo "==================================================================================="
+ echo
+ echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\""
diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml
new file mode 100644
index 0000000..a00ce5d
--- /dev/null
+++ b/.github/workflows/osv-scanner.yml
@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
+# in addition to a PR check which fails if new vulnerabilities are introduced.
+#
+# For more examples and options, including how to ignore specific vulnerabilities,
+# see https://google.github.io/osv-scanner/github-action/
+
+name: OSV-Scanner
+
+on:
+ pull_request:
+ branches: [ "main" ]
+ merge_group:
+ branches: [ "main" ]
+ schedule:
+ - cron: '43 8 * * 0'
+ push:
+ branches: [ "main" ]
+
+permissions:
+ # Require writing security events to upload SARIF file to security tab
+ security-events: write
+ # Read commit contents
+ contents: read
+
+jobs:
+ scan-scheduled:
+ if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+ uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+ with:
+ # Example of specifying custom arguments
+ scan-args: |-
+ -r
+ --skip-git
+ ./
+ scan-pr:
+ if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+ uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+ with:
+ # Example of specifying custom arguments
+ scan-args: |-
+ -r
+ --skip-git
+ ./
diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml
new file mode 100644
index 0000000..7d257b5
--- /dev/null
+++ b/.github/workflows/php.yml
@@ -0,0 +1,39 @@
+name: PHP Composer
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+
+ - name: Validate composer.json and composer.lock
+ run: composer validate --strict
+
+ - name: Cache Composer packages
+ id: composer-cache
+ uses: actions/cache@v3
+ with:
+ path: vendor
+ key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }}
+ restore-keys: |
+ ${{ runner.os }}-php-
+
+ - name: Install dependencies
+ run: composer install --prefer-dist --no-progress
+
+ # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit"
+ # Docs: https://getcomposer.org/doc/articles/scripts.md
+
+ # - name: Run test suite
+ # run: composer run-script test
diff --git a/.github/workflows/phpmd.yml b/.github/workflows/phpmd.yml
new file mode 100644
index 0000000..3d2b94c
--- /dev/null
+++ b/.github/workflows/phpmd.yml
@@ -0,0 +1,57 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# PHPMD is a spin-off project of PHP Depend and
+# aims to be a PHP equivalent of the well known Java tool PMD.
+# What PHPMD does is: It takes a given PHP source code base
+# and look for several potential problems within that source.
+# These problems can be things like:
+# Possible bugs
+# Suboptimal code
+# Overcomplicated expressions
+# Unused parameters, methods, properties
+# More details at https://phpmd.org/
+
+name: PHPMD
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '20 21 * * 5'
+
+permissions:
+ contents: read
+
+jobs:
+ PHPMD:
+ name: Run PHPMD scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Setup PHP
+ uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161
+ with:
+ coverage: none
+ tools: phpmd
+
+ - name: Run PHPMD
+ run: phpmd . sarif codesize --reportfile phpmd-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: phpmd-results.sarif
+ wait-for-processing: true
diff --git a/.github/workflows/pmd.yml b/.github/workflows/pmd.yml
new file mode 100644
index 0000000..eeed2fe
--- /dev/null
+++ b/.github/workflows/pmd.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: pmd
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '33 18 * * 5'
+
+permissions:
+ contents: read
+
+jobs:
+ pmd-code-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up JDK 11
+ uses: actions/setup-java@v4
+ with:
+ java-version: '11'
+ distribution: 'temurin'
+ - name: Run PMD
+ id: pmd
+ uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29
+ with:
+ rulesets: 'rulesets/java/quickstart.xml'
+ sourcePath: 'src/main/java'
+ analyzeModifiedFilesOnly: false
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: pmd-report.sarif
diff --git a/.github/workflows/policy-validator-tf.yml b/.github/workflows/policy-validator-tf.yml
new file mode 100644
index 0000000..28fd356
--- /dev/null
+++ b/.github/workflows/policy-validator-tf.yml
@@ -0,0 +1,101 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer
+# To use this workflow, you will need to complete the following set up steps before start using it:
+# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps.
+# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
+# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates.
+# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
+
+name: Validate AWS IAM policies in Terraform templates using Policy Validator
+on:
+ push:
+ branches: ["main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: ["main"]
+env:
+ AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
+ REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
+ TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
+ ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+ REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+ REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+
+jobs:
+ policy-validator:
+ runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
+ #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
+ #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+ permissions:
+ id-token: write # This is required for requesting the JWT
+ contents: read # This is required for actions/checkout
+ # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
+ name: Policy Validator checks for AWS IAM policies
+ steps:
+ # checkout the repo for workflow to access the contents
+ - name: Checkout
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+ # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials
+ - name: Configure AWS Credentials
+ uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+ with:
+ role-to-assume: ${{ env.AWS_ROLE }}
+ aws-region: ${{ env.REGION }}
+ # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer ValidatePolicy check
+ id: run-aws-validate-policy
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "VALIDATE_POLICY"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ region: ${{ env.REGION }}
+ # Print result from VALIDATE_POLICY check
+ - name: Print the result for ValidatePolicy check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
+ # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
+ id: run-aws-check-access-not-granted
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ actions: ${{ env.ACTIONS }}
+ resources: ${{ env.RESOURCES }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_ACCESS_NOT_GRANTED check
+ - name: Print the result for CheckAccessNotGranted check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
+ # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ # reference-policy is stored in GitHub secrets
+ - name: Run AWS AccessAnalyzer CheckNoNewAccess check
+ id: run-aws-check-no-new-access
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_NO_NEW_ACCESS"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ reference-policy: ${{ env.REFERENCE_POLICY }}
+ reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_NO_NEW_ACCESS check
+ - name: Print the result CheckNoNewAccess check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
+ # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+ - name: Run AWS AccessAnalyzer CheckNoPublicAccess check
+ id: run-aws-check-no-public-access
+ uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2
+ with:
+ policy-check-type: "CHECK_NO_PUBLIC_ACCESS"
+ template-path: ${{ env.TEMPLATE_PATH }}
+ region: ${{ env.REGION }}
+ # Print result from CHECK_NO_PUBLIC_ACCESS check
+ - name: Print the result for CheckNoPublicAccess check
+ if: success() || failure()
+ run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}"
diff --git a/.github/workflows/prisma.yml b/.github/workflows/prisma.yml
new file mode 100644
index 0000000..c37b3ba
--- /dev/null
+++ b/.github/workflows/prisma.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow that checks for security issues using
+# the Prisma Cloud Infrastructure as Code Scan Action on
+# the IaC files present in the repository.
+# The results are uploaded to GitHub Security Code Scanning
+#
+# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action
+
+name: Prisma Cloud IaC Scan
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '33 22 * * 0'
+
+permissions:
+ contents: read
+
+jobs:
+ prisma_cloud_iac_scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ name: Run Prisma Cloud IaC Scan to check
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - id: iac-scan
+ name: Run Scan on CFT files in the repository
+ uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3
+ with:
+ # You will need Prisma Cloud API Access Token
+ # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action
+ prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }}
+ access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
+ secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
+ # Scan sources on Prisma Cloud are uniquely identified by their name
+ asset_name: 'my-asset-name'
+ # The service need to know the type of IaC being scanned
+ template_type: 'CFT'
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ # Results are generated only on a success or failure
+ # this is required since GitHub by default won't run the next step
+ # when the previous one has failed.
+ # And alternative it to add `continue-on-error: true` to the previous step
+ if: success() || failure()
+ with:
+ # The SARIF Log file name is configurable on scan action
+ # therefore the file name is best read from the steps output
+ sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }}
diff --git a/.github/workflows/puppet-lint.yml b/.github/workflows/puppet-lint.yml
new file mode 100644
index 0000000..5541f06
--- /dev/null
+++ b/.github/workflows/puppet-lint.yml
@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+# Puppet Lint tests Puppet code against the recommended Puppet language style guide.
+# https://puppet.com/docs/puppet/7/style_guide.html
+# Puppet Lint validates only code style; it does not validate syntax.
+# To test syntax, use Puppet's puppet parser validate command.
+# More details at https://github.com/puppetlabs/puppet-lint/
+
+name: puppet-lint
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '21 17 * * 4'
+
+permissions:
+ contents: read
+
+jobs:
+ puppet-lint:
+ name: Run puppet-lint scanning
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+
+ - name: Setup Ruby
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
+ with:
+ ruby-version: 2.7
+ bundler-cache: true
+
+ - name: Install puppet-lint
+ run: gem install puppet-lint
+
+ - name: Run puppet-lint
+ run: puppet-lint . --sarif > puppet-lint-results.sarif
+ continue-on-error: true
+
+ - name: Upload analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: puppet-lint-results.sarif
+ wait-for-processing: true
diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml
new file mode 100644
index 0000000..c73e032
--- /dev/null
+++ b/.github/workflows/pylint.yml
@@ -0,0 +1,23 @@
+name: Pylint
+
+on: [push]
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ python-version: ["3.8", "3.9", "3.10"]
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v3
+ with:
+ python-version: ${{ matrix.python-version }}
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install pylint
+ - name: Analysing the code with pylint
+ run: |
+ pylint $(git ls-files '*.py')
diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml
new file mode 100644
index 0000000..1168bd9
--- /dev/null
+++ b/.github/workflows/python-app.yml
@@ -0,0 +1,39 @@
+# This workflow will install Python dependencies, run tests and lint with a single version of Python
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+
+name: Python application
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Python 3.10
+ uses: actions/setup-python@v3
+ with:
+ python-version: "3.10"
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install flake8 pytest
+ if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+ - name: Lint with flake8
+ run: |
+ # stop the build if there are Python syntax errors or undefined names
+ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+ # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+ flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+ - name: Test with pytest
+ run: |
+ pytest
diff --git a/.github/workflows/python-package-conda.yml b/.github/workflows/python-package-conda.yml
new file mode 100644
index 0000000..f358604
--- /dev/null
+++ b/.github/workflows/python-package-conda.yml
@@ -0,0 +1,34 @@
+name: Python Package using Conda
+
+on: [push]
+
+jobs:
+ build-linux:
+ runs-on: ubuntu-latest
+ strategy:
+ max-parallel: 5
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Python 3.10
+ uses: actions/setup-python@v3
+ with:
+ python-version: '3.10'
+ - name: Add conda to system path
+ run: |
+ # $CONDA is an environment variable pointing to the root of the miniconda directory
+ echo $CONDA/bin >> $GITHUB_PATH
+ - name: Install dependencies
+ run: |
+ conda env update --file environment.yml --name base
+ - name: Lint with flake8
+ run: |
+ conda install flake8
+ # stop the build if there are Python syntax errors or undefined names
+ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+ # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+ flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+ - name: Test with pytest
+ run: |
+ conda install pytest
+ pytest
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
new file mode 100644
index 0000000..e56abb6
--- /dev/null
+++ b/.github/workflows/python-package.yml
@@ -0,0 +1,40 @@
+# This workflow will install Python dependencies, run tests and lint with a variety of Python versions
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
+
+name: Python package
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ matrix:
+ python-version: ["3.9", "3.10", "3.11"]
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Python ${{ matrix.python-version }}
+ uses: actions/setup-python@v3
+ with:
+ python-version: ${{ matrix.python-version }}
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ python -m pip install flake8 pytest
+ if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+ - name: Lint with flake8
+ run: |
+ # stop the build if there are Python syntax errors or undefined names
+ flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+ # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
+ flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics
+ - name: Test with pytest
+ run: |
+ pytest
diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml
new file mode 100644
index 0000000..b7a704b
--- /dev/null
+++ b/.github/workflows/python-publish.yml
@@ -0,0 +1,39 @@
+# This workflow will upload a Python Package using Twine when a release is created
+# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries
+
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Upload Python Package
+
+on:
+ release:
+ types: [published]
+
+permissions:
+ contents: read
+
+jobs:
+ deploy:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Python
+ uses: actions/setup-python@v3
+ with:
+ python-version: '3.x'
+ - name: Install dependencies
+ run: |
+ python -m pip install --upgrade pip
+ pip install build
+ - name: Build package
+ run: python -m build
+ - name: Publish package
+ uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29
+ with:
+ user: __token__
+ password: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/scala.yml b/.github/workflows/scala.yml
new file mode 100644
index 0000000..0a8e6a6
--- /dev/null
+++ b/.github/workflows/scala.yml
@@ -0,0 +1,34 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Scala CI
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+
+permissions:
+ contents: read
+
+jobs:
+ build:
+
+ runs-on: ubuntu-latest
+
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up JDK 11
+ uses: actions/setup-java@v4
+ with:
+ java-version: '11'
+ distribution: 'temurin'
+ cache: 'sbt'
+ - name: Run tests
+ run: sbt test
+ # Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository
+ - name: Upload dependency graph
+ uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91
diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml
new file mode 100644
index 0000000..578dcae
--- /dev/null
+++ b/.github/workflows/snyk-security.yml
@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code,
+# Snyk Container and Snyk Infrastructure as Code)
+# The setup installs the Snyk CLI - for more details on the possible commands
+# check https://docs.snyk.io/snyk-cli/cli-reference
+# The results of Snyk Code are then uploaded to GitHub Security Code Scanning
+#
+# In order to use the Snyk Action you will need to have a Snyk API token.
+# More details in https://github.com/snyk/actions#getting-your-snyk-token
+# or you can signup for free at https://snyk.io/login
+#
+# For more examples, including how to limit scans to only high-severity issues
+# and fail PR checks, see https://github.com/snyk/actions/
+
+name: Snyk Security
+
+on:
+ push:
+ branches: ["main" ]
+ pull_request:
+ branches: ["main"]
+
+permissions:
+ contents: read
+
+jobs:
+ snyk:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - name: Set up Snyk CLI to check for security issues
+ # Snyk can be used to break the build when it detects security issues.
+ # In this case we want to upload the SAST issues to GitHub Code Scanning
+ uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+ # For Snyk Open Source you must first set up the development environment for your application's dependencies
+ # For example for Node
+ #- uses: actions/setup-node@v4
+ # with:
+ # node-version: 20
+
+ env:
+ # This is where you will need to introduce the Snyk API token created with your Snyk account
+ SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+ # Runs Snyk Code (SAST) analysis and uploads result into GitHub.
+ # Use || true to not fail the pipeline
+ - name: Snyk Code test
+ run: snyk code test --sarif > snyk-code.sarif # || true
+
+ # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk.
+ - name: Snyk Open Source monitor
+ run: snyk monitor --all-projects
+
+ # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk.
+ # Use || true to not fail the pipeline.
+ - name: Snyk IaC test and report
+ run: snyk iac test --report # || true
+
+ # Build the docker image for testing
+ - name: Build a Docker image
+ run: docker build -t your/image-to-test .
+ # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk.
+ - name: Snyk Container monitor
+ run: snyk container monitor your/image-to-test --file=Dockerfile
+
+ # Push the Snyk Code results into GitHub Code Scanning tab
+ - name: Upload result to GitHub Code Scanning
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: snyk-code.sarif
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
new file mode 100644
index 0000000..817c783
--- /dev/null
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,27 @@
+# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time.
+#
+# You can adjust the behavior by modifying this file.
+# For more information, see:
+# https://github.com/actions/stale
+name: Mark stale issues and pull requests
+
+on:
+ schedule:
+ - cron: '17 22 * * *'
+
+jobs:
+ stale:
+
+ runs-on: ubuntu-latest
+ permissions:
+ issues: write
+ pull-requests: write
+
+ steps:
+ - uses: actions/stale@v5
+ with:
+ repo-token: ${{ secrets.GITHUB_TOKEN }}
+ stale-issue-message: 'Stale issue message'
+ stale-pr-message: 'Stale pull request message'
+ stale-issue-label: 'no-issue-activity'
+ stale-pr-label: 'no-pr-activity'
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
new file mode 100644
index 0000000..f2c9e97
--- /dev/null
+++ b/.github/workflows/static.yml
@@ -0,0 +1,43 @@
+# Simple workflow for deploying static content to GitHub Pages
+name: Deploy static content to Pages
+
+on:
+ # Runs on pushes targeting the default branch
+ push:
+ branches: ["main"]
+
+ # Allows you to run this workflow manually from the Actions tab
+ workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+ contents: read
+ pages: write
+ id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+ group: "pages"
+ cancel-in-progress: false
+
+jobs:
+ # Single deploy job since we're just deploying
+ deploy:
+ environment:
+ name: github-pages
+ url: ${{ steps.deployment.outputs.page_url }}
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v4
+ - name: Setup Pages
+ uses: actions/configure-pages@v5
+ - name: Upload artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ # Upload entire repository
+ path: '.'
+ - name: Deploy to GitHub Pages
+ id: deployment
+ uses: actions/deploy-pages@v4
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
new file mode 100644
index 0000000..af6a923
--- /dev/null
+++ b/.github/workflows/super-linter.yml
@@ -0,0 +1,29 @@
+# This workflow executes several linters on changed files based on languages used in your code base whenever
+# you push a code or open a pull request.
+#
+# You can adjust the behavior by modifying this file.
+# For more information, see:
+# https://github.com/github/super-linter
+name: Lint Code Base
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ branches: [ "main" ]
+jobs:
+ run-lint:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v4
+ with:
+ # Full git history is needed to get a proper list of changed files within `super-linter`
+ fetch-depth: 0
+
+ - name: Lint Code Base
+ uses: github/super-linter@v4
+ env:
+ VALIDATE_ALL_CODEBASE: false
+ DEFAULT_BRANCH: "main"
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tencent.yml b/.github/workflows/tencent.yml
new file mode 100644
index 0000000..9032a26
--- /dev/null
+++ b/.github/workflows/tencent.yml
@@ -0,0 +1,79 @@
+# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the "main" branch.
+#
+# To configure this workflow:
+#
+# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster,
+# including deployment.yml, kustomization.yml, service.yml, etc.
+#
+# 2. Set up secrets in your workspace:
+# - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id
+# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key
+# - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id
+# - TKE_REGISTRY_PASSWORD with TKE registry password
+#
+# 3. Change the values for the TKE_IMAGE_URL, TKE_REGION, TKE_CLUSTER_ID and DEPLOYMENT_NAME environment variables (below).
+
+name: Tencent Kubernetes Engine
+
+on:
+ push:
+ branches: [ "main" ]
+
+# Environment variables available to all jobs and steps in this workflow
+env:
+ TKE_IMAGE_URL: ccr.ccs.tencentyun.com/demo/mywebapp
+ TKE_REGION: ap-guangzhou
+ TKE_CLUSTER_ID: cls-mywebapp
+ DEPLOYMENT_NAME: tke-test
+
+permissions:
+ contents: read
+
+jobs:
+ setup-build-publish-deploy:
+ name: Setup, Build, Publish, and Deploy
+ runs-on: ubuntu-latest
+ environment: production
+ steps:
+
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ # Build
+ - name: Build Docker image
+ run: |
+ docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} .
+
+ - name: Login TKE Registry
+ run: |
+ docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL}
+
+ # Push the Docker image to TKE Registry
+ - name: Publish
+ run: |
+ docker push ${TKE_IMAGE_URL}:${GITHUB_SHA}
+
+ - name: Set up Kustomize
+ run: |
+ curl -o kustomize --location https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64
+ chmod u+x ./kustomize
+
+ - name: Set up ~/.kube/config for connecting TKE cluster
+ uses: TencentCloud/tke-cluster-credential-action@v1
+ with:
+ secret_id: ${{ secrets.TENCENT_CLOUD_SECRET_ID }}
+ secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }}
+ tke_region: ${{ env.TKE_REGION }}
+ cluster_id: ${{ env.TKE_CLUSTER_ID }}
+
+ - name: Switch to TKE context
+ run: |
+ kubectl config use-context ${TKE_CLUSTER_ID}-context-default
+
+ # Deploy the Docker image to the TKE cluster
+ - name: Deploy
+ run: |
+ ./kustomize edit set image ${TKE_IMAGE_URL}:${GITHUB_SHA}
+ ./kustomize build . | kubectl apply -f -
+ kubectl rollout status deployment/${DEPLOYMENT_NAME}
+ kubectl get services -o wide
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
new file mode 100644
index 0000000..540e804
--- /dev/null
+++ b/.github/workflows/terraform.yml
@@ -0,0 +1,93 @@
+# This workflow installs the latest version of Terraform CLI and configures the Terraform CLI configuration file
+# with an API token for Terraform Cloud (app.terraform.io). On pull request events, this workflow will run
+# `terraform init`, `terraform fmt`, and `terraform plan` (speculative plan via Terraform Cloud). On push events
+# to the "main" branch, `terraform apply` will be executed.
+#
+# Documentation for `hashicorp/setup-terraform` is located here: https://github.com/hashicorp/setup-terraform
+#
+# To use this workflow, you will need to complete the following setup steps.
+#
+# 1. Create a `main.tf` file in the root of this repository with the `remote` backend and one or more resources defined.
+# Example `main.tf`:
+# # The configuration for the `remote` backend.
+# terraform {
+# backend "remote" {
+# # The name of your Terraform Cloud organization.
+# organization = "example-organization"
+#
+# # The name of the Terraform Cloud workspace to store Terraform state files in.
+# workspaces {
+# name = "example-workspace"
+# }
+# }
+# }
+#
+# # An example resource that does nothing.
+# resource "null_resource" "example" {
+# triggers = {
+# value = "A example resource that does nothing!"
+# }
+# }
+#
+#
+# 2. Generate a Terraform Cloud user API token and store it as a GitHub secret (e.g. TF_API_TOKEN) on this repository.
+# Documentation:
+# - https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html
+# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets
+#
+# 3. Reference the GitHub secret in step using the `hashicorp/setup-terraform` GitHub Action.
+# Example:
+# - name: Setup Terraform
+# uses: hashicorp/setup-terraform@v1
+# with:
+# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+name: 'Terraform'
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+
+permissions:
+ contents: read
+
+jobs:
+ terraform:
+ name: 'Terraform'
+ runs-on: ubuntu-latest
+ environment: production
+
+ # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
+ defaults:
+ run:
+ shell: bash
+
+ steps:
+ # Checkout the repository to the GitHub Actions runner
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v1
+ with:
+ cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+ # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
+ - name: Terraform Init
+ run: terraform init
+
+ # Checks that all Terraform configuration files adhere to a canonical format
+ - name: Terraform Format
+ run: terraform fmt -check
+
+ # Generates an execution plan for Terraform
+ - name: Terraform Plan
+ run: terraform plan -input=false
+
+ # On push to "main", build or change infrastructure according to Terraform configuration files
+ # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
+ - name: Terraform Apply
+ if: github.ref == 'refs/heads/"main"' && github.event_name == 'push'
+ run: terraform apply -auto-approve -input=false
diff --git a/.github/workflows/veracode.yml b/.github/workflows/veracode.yml
new file mode 100644
index 0000000..b5efbed
--- /dev/null
+++ b/.github/workflows/veracode.yml
@@ -0,0 +1,59 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert
+
+name: Veracode Static Analysis Pipeline Scan
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '24 20 * * 1'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions:
+ contents: read
+
+jobs:
+ # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter
+ build-and-pipeline-scan:
+ # The type of runner that the job will run on
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ steps:
+
+ # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps
+ - uses: actions/checkout@v4
+ with:
+ repository: ''
+
+ - run: zip -r veracode-scan-target.zip ./
+
+ # download the Veracode Static Analysis Pipeline scan jar
+ - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ - run: unzip -o pipeline-scan-LATEST.zip
+
+ - uses: actions/setup-java@v4
+ with:
+ java-version: 8
+ distribution: 'temurin'
+ - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip
+ continue-on-error: true
+ - name: Convert pipeline scan output to SARIF format
+ id: convert
+ uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be
+ with:
+ pipeline-results-json: results.json
+ - uses: github/codeql-action/upload-sarif@v3
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: veracode-results.sarif
diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml
new file mode 100644
index 0000000..cf0a5b5
--- /dev/null
+++ b/.github/workflows/xanitizer.yml
@@ -0,0 +1,100 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it,
+# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository.
+#
+# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action
+#
+# To use this basic workflow, you will need to complete the following setup steps:
+#
+# 1. The underlying Xanitizer, used in this workflow, needs a separate license file.
+# Licenses are free of charge for open source projects and for educational usage.
+# To get more information about the Xanitizer licenses and how to obtain a license file,
+# please consult https://www.xanitizer.com/xanitizer-pricing/.
+#
+# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository.
+# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details.
+#
+# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action.
+# Example:
+# - name: Xanitizer Security Analysis
+# uses: RIGS-IT/xanitizer-action@v1
+# with:
+# license: ${{ secrets.XANITIZER_LICENSE }}
+#
+# 4. As a static application security testing (SAST) tool,
+# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully.
+# So you have to install all used libraries and build your project before running the security analysis,
+# e.g. via `mvn compile` for Java or `npm install` for JavaScript
+
+name: "Xanitizer Security Analysis"
+
+on:
+ push:
+ branches: [ "main" ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ "main" ]
+ schedule:
+ - cron: '44 23 * * 5'
+ workflow_dispatch:
+
+permissions:
+ contents: read
+
+jobs:
+ xanitizer-security-analysis:
+ # Xanitizer runs on ubuntu-latest and windows-latest.
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+
+ steps:
+ # Check out the repository
+ - name: Checkout
+ uses: actions/checkout@v4
+
+ # Set up the correct Java version for your project
+ # Please comment out, if your project does not contain Java source code.
+ - name: Set up JDK 11
+ uses: actions/setup-java@v4
+ with:
+ java-version: 11
+ distribution: 'temurin'
+
+ # Compile the code for Java projects and get all libraries, e.g. via Maven
+ # Please adapt, if your project uses another build system to compile Java source code.
+ # Please comment out, if your project does not contain Java source code.
+ - name: Compile Java code
+ run: mvn -B compile
+
+ # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm
+ # Please adapt to run `npm install` in the correct directories.
+ # Please adapt, if your project uses another package manager for getting JavaScript libraries.
+ # Please comment out, if your project does not use a package manager for getting JavaScript libraries.
+ - name: Install JavaScript libraries
+ run: npm install
+
+ # Run the security analysis with default settings
+ - name: Xanitizer Security Analysis
+ uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316
+ with:
+ license: ${{ secrets.XANITIZER_LICENSE }}
+
+ # Archiving the findings list reports
+ - uses: actions/upload-artifact@v3
+ with:
+ name: Xanitizer-Reports
+ path: |
+ *-Findings-List.pdf
+ *-Findings-List.sarif
+
+ # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action
+ - uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: Xanitizer-Findings-List.sarif
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..034e848
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 5.1.x | :white_check_mark: |
+| 5.0.x | :x: |
+| 4.0.x | :white_check_mark: |
+| < 4.0 | :x: |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.