From fa4b8a6bd94e70d9bec43baa6dde735296f55810 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:14:55 -0500 Subject: [PATCH 01/81] Create django.yml --- .github/workflows/django.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/django.yml diff --git a/.github/workflows/django.yml b/.github/workflows/django.yml new file mode 100644 index 0000000..9766b45 --- /dev/null +++ b/.github/workflows/django.yml @@ -0,0 +1,30 @@ +name: Django CI + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + max-parallel: 4 + matrix: + python-version: [3.7, 3.8, 3.9] + + steps: + - uses: actions/checkout@v4 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v3 + with: + python-version: ${{ matrix.python-version }} + - name: Install Dependencies + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + - name: Run Tests + run: | + python manage.py test From 28da098f80a69b8b05fa2e410c6ebc795f583b15 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:17:08 -0500 Subject: [PATCH 02/81] Create python-publish.yml --- .github/workflows/python-publish.yml | 39 ++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/python-publish.yml diff --git a/.github/workflows/python-publish.yml b/.github/workflows/python-publish.yml new file mode 100644 index 0000000..b7a704b --- /dev/null +++ b/.github/workflows/python-publish.yml @@ -0,0 +1,39 @@ +# This workflow will upload a Python Package using Twine when a release is created +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python#publishing-to-package-registries + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Upload Python Package + +on: + release: + types: [published] + +permissions: + contents: read + +jobs: + deploy: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Set up Python + uses: actions/setup-python@v3 + with: + python-version: '3.x' + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install build + - name: Build package + run: python -m build + - name: Publish package + uses: pypa/gh-action-pypi-publish@27b31702a0e7fc50959f5ad993c78deac1bdfc29 + with: + user: __token__ + password: ${{ secrets.PYPI_API_TOKEN }} From c7a5c307648f527b983ed9280e5b717dbd31af25 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:19:03 -0500 Subject: [PATCH 03/81] Create generator-generic-ossf-slsa3-publish.yml --- .../generator-generic-ossf-slsa3-publish.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 0000000..35c829b --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release From 2e7962643a0d07081cb60c639e42590dc18cef73 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:21:52 -0500 Subject: [PATCH 04/81] Create pylint.yml --- .github/workflows/pylint.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/pylint.yml diff --git a/.github/workflows/pylint.yml b/.github/workflows/pylint.yml new file mode 100644 index 0000000..c73e032 --- /dev/null +++ b/.github/workflows/pylint.yml @@ -0,0 +1,23 @@ +name: Pylint + +on: [push] + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + python-version: ["3.8", "3.9", "3.10"] + steps: + - uses: actions/checkout@v4 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v3 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pylint + - name: Analysing the code with pylint + run: | + pylint $(git ls-files '*.py') From 9a605d8137ab625af0f5c75df319938f830beeb0 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:22:41 -0500 Subject: [PATCH 05/81] Create python-app.yml --- .github/workflows/python-app.yml | 39 ++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/python-app.yml diff --git a/.github/workflows/python-app.yml b/.github/workflows/python-app.yml new file mode 100644 index 0000000..1168bd9 --- /dev/null +++ b/.github/workflows/python-app.yml @@ -0,0 +1,39 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python + +name: Python application + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v3 + with: + python-version: "3.10" + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install flake8 pytest + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: Lint with flake8 + run: | + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + pytest From 2977cb3e49b1318ec7fd0d0f6c530189cf75de54 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:23:31 -0500 Subject: [PATCH 06/81] Create python-package.yml --- .github/workflows/python-package.yml | 40 ++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 .github/workflows/python-package.yml diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml new file mode 100644 index 0000000..e56abb6 --- /dev/null +++ b/.github/workflows/python-package.yml @@ -0,0 +1,40 @@ +# This workflow will install Python dependencies, run tests and lint with a variety of Python versions +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python + +name: Python package + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + python-version: ["3.9", "3.10", "3.11"] + + steps: + - uses: actions/checkout@v4 + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@v3 + with: + python-version: ${{ matrix.python-version }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + python -m pip install flake8 pytest + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: Lint with flake8 + run: | + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + pytest From 8757f62b6b4de36b855748261fb68c8969aeaec8 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:24:09 -0500 Subject: [PATCH 07/81] Create aws.yml --- .github/workflows/aws.yml | 94 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 .github/workflows/aws.yml diff --git a/.github/workflows/aws.yml b/.github/workflows/aws.yml new file mode 100644 index 0000000..a8219c4 --- /dev/null +++ b/.github/workflows/aws.yml @@ -0,0 +1,94 @@ +# This workflow will build and push a new container image to Amazon ECR, +# and then will deploy a new task definition to Amazon ECS, when there is a push to the "main" branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ECR repository to store your images. +# For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. +# +# 2. Create an ECS task definition, an ECS cluster, and an ECS service. +# For example, follow the Getting Started guide on the ECS console: +# https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. +# +# 3. Store your ECS task definition as a JSON file in your repository. +# The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container +# in the `containerDefinitions` section of the task definition. +# +# 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. +# See the documentation for each action used below for the recommended IAM policies for this IAM user, +# and best practices on handling the access key credentials. + +name: Deploy to Amazon ECS + +on: + push: + branches: [ "main" ] + +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition + +permissions: + contents: read + +jobs: + deploy: + name: Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ env.AWS_REGION }} + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 + + - name: Build, tag, and push image to Amazon ECR + id: build-image + env: + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ github.sha }} + run: | + # Build a docker container and + # push it to ECR so that it can + # be deployed to ECS. + docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . + docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG + echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT + + - name: Fill in the new image ID in the Amazon ECS task definition + id: task-def + uses: aws-actions/amazon-ecs-render-task-definition@v1 + with: + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} + image: ${{ steps.build-image.outputs.image }} + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@v1 + with: + task-definition: ${{ steps.task-def.outputs.task-definition }} + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} + wait-for-service-stability: true From 2fb5b35cee8d222cf21e463711a94744dd787df6 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:24:37 -0500 Subject: [PATCH 08/81] Create azure-functions-app-python.yml --- .../workflows/azure-functions-app-python.yml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 .github/workflows/azure-functions-app-python.yml diff --git a/.github/workflows/azure-functions-app-python.yml b/.github/workflows/azure-functions-app-python.yml new file mode 100644 index 0000000..28ae31f --- /dev/null +++ b/.github/workflows/azure-functions-app-python.yml @@ -0,0 +1,65 @@ +# This workflow will build a Python app and deploy it to an Azure Functions App on Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-python?pivots=python-mode-configuration +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy Python project to Azure Function App + +on: + push: + branches: ["main"] + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + PYTHON_VERSION: '3.9' # set this to the python version to use (e.g. '3.6', '3.7', '3.8') + +jobs: + build-and-deploy: + runs-on: ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository + + - name: Setup Python ${{ env.PYTHON_VERSION }} Environment + uses: actions/setup-python@v4 + with: + python-version: ${{ env.PYTHON_VERSION }} + + - name: 'Resolve Project Dependencies Using Pip' + shell: bash + run: | + pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}' + python -m pip install --upgrade pip + pip install -r requirements.txt --target=".python_packages/lib/site-packages" + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC + scm-do-build-during-deployment: true + enable-oryx-build: true From f6318c49be9341cbd7782974e686c484a17b9d64 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:26:16 -0500 Subject: [PATCH 09/81] Create azure-webapps-python.yml --- .github/workflows/azure-webapps-python.yml | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/azure-webapps-python.yml diff --git a/.github/workflows/azure-webapps-python.yml b/.github/workflows/azure-webapps-python.yml new file mode 100644 index 0000000..e5c1864 --- /dev/null +++ b/.github/workflows/azure-webapps-python.yml @@ -0,0 +1,86 @@ +# This workflow will build and push a Python application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-python?tabs=bash&pivots=python-framework-flask +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the PYTHON_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy Python app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + PYTHON_VERSION: '3.8' # set this to the Python version to use + +on: + push: + branches: [ "main" ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Set up Python version + uses: actions/setup-python@v3.0.0 + with: + python-version: ${{ env.PYTHON_VERSION }} + cache: 'pip' + + - name: Create and start virtual environment + run: | + python -m venv venv + source venv/bin/activate + + - name: Install dependencies + run: pip install -r requirements.txt + + # Optional: Add step to run tests here (PyTest, Django test suites, etc.) + + - name: Upload artifact for deployment jobs + uses: actions/upload-artifact@v3 + with: + name: python-app + path: | + . + !venv/ + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: python-app + path: . + + - name: 'Deploy to Azure Web App' + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} From 7130a22cbf804fb96d0de552dc01d9f577749acd Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:27:10 -0500 Subject: [PATCH 10/81] Create google.yml --- .github/workflows/google.yml | 116 +++++++++++++++++++++++++++++++++++ 1 file changed, 116 insertions(+) create mode 100644 .github/workflows/google.yml diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml new file mode 100644 index 0000000..0b5c7d1 --- /dev/null +++ b/.github/workflows/google.yml @@ -0,0 +1,116 @@ +# This workflow will build a docker container, publish it to Google Container +# Registry, and deploy it to GKE when there is a push to the "main" +# branch. +# +# To configure this workflow: +# +# 1. Enable the following Google Cloud APIs: +# +# - Artifact Registry (artifactregistry.googleapis.com) +# - Google Kubernetes Engine (container.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) +# +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. +# +# 2. Ensure that your repository contains the necessary configuration for your +# Google Kubernetes Engine cluster, including deployment.yml, +# kustomization.yml, service.yml, etc. +# +# 3. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Kubernetes Engine Developer (roles/container.developer) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources +# +# 5. Change the values in the "env" block to match your values. + +name: 'Build and Deploy to GKE' + +on: + push: + branches: + - '"main"' + +env: + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + GAR_LOCATION: 'us-central1' # TODO: update to your region + GKE_CLUSTER: 'cluster-1' # TODO: update to your cluster name + GKE_ZONE: 'us-central1-c' # TODO: update to your cluster zone + DEPLOYMENT_NAME: 'gke-test' # TODO: update to your deployment name + REPOSITORY: 'samples' # TODO: update to your Artifact Registry docker repository name + IMAGE: 'static-site' + WORKLOAD_IDENTITY_PROVIDER: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: update to your workload identity provider + +jobs: + setup-build-publish-deploy: + name: 'Setup, Build, Publish, and Deploy' + runs-on: 'ubuntu-latest' + environment: 'production' + + permissions: + contents: 'read' + id-token: 'write' + + steps: + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 + + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: '${{ env.WORKLOAD_IDENTITY_PROVIDER }}' + + # Authenticate Docker to Google Cloud Artifact Registry + - name: 'Docker Auth' + uses: 'docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567' # docker/login-action@v3 + with: + username: 'oauth2accesstoken' + password: '${{ steps.auth.outputs.auth_token }}' + registry: '${{ env.GAR_LOCATION }}-docker.pkg.dev' + + # Get the GKE credentials so we can deploy to the cluster + - name: 'Set up GKE credentials' + uses: 'google-github-actions/get-gke-credentials@6051de21ad50fbb1767bc93c11357a49082ad116' # google-github-actions/get-gke-credentials@v2 + with: + cluster_name: '${{ env.GKE_CLUSTER }}' + location: '${{ env.GKE_ZONE }}' + + # Build the Docker image + - name: 'Build and push Docker container' + run: |- + DOCKER_TAG="${GAR_LOCATION}-docker.pkg.dev/${PROJECT_ID}/${REPOSITORY}/${IMAGE}:${GITHUB_SHA}" + + docker build \ + --tag "${DOCKER_TAG}" \ + --build-arg GITHUB_SHA="${GITHUB_SHA}" \ + --build-arg GITHUB_REF="${GITHUB_REF}" \ + . + + docker push "${DOCKER_TAG}" + + # Set up kustomize + - name: 'Set up Kustomize' + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv5.4.3/kustomize_v5.4.3_linux_amd64.tar.gz + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: 'Deploy to GKE' + run: |- + # replacing the image name in the k8s template + ./kustomize edit set image LOCATION-docker.pkg.dev/PROJECT_ID/REPOSITORY/IMAGE:TAG=$GAR_LOCATION-docker.pkg.dev/$PROJECT_ID/$REPOSITORY/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide From bf5dbb10be0a472585fb61dfa83c5dc2aeef3c81 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:28:12 -0500 Subject: [PATCH 11/81] Create terraform.yml --- .github/workflows/terraform.yml | 93 +++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/terraform.yml diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml new file mode 100644 index 0000000..540e804 --- /dev/null +++ b/.github/workflows/terraform.yml @@ -0,0 +1,93 @@ +# This workflow installs the latest version of Terraform CLI and configures the Terraform CLI configuration file +# with an API token for Terraform Cloud (app.terraform.io). On pull request events, this workflow will run +# `terraform init`, `terraform fmt`, and `terraform plan` (speculative plan via Terraform Cloud). On push events +# to the "main" branch, `terraform apply` will be executed. +# +# Documentation for `hashicorp/setup-terraform` is located here: https://github.com/hashicorp/setup-terraform +# +# To use this workflow, you will need to complete the following setup steps. +# +# 1. Create a `main.tf` file in the root of this repository with the `remote` backend and one or more resources defined. +# Example `main.tf`: +# # The configuration for the `remote` backend. +# terraform { +# backend "remote" { +# # The name of your Terraform Cloud organization. +# organization = "example-organization" +# +# # The name of the Terraform Cloud workspace to store Terraform state files in. +# workspaces { +# name = "example-workspace" +# } +# } +# } +# +# # An example resource that does nothing. +# resource "null_resource" "example" { +# triggers = { +# value = "A example resource that does nothing!" +# } +# } +# +# +# 2. Generate a Terraform Cloud user API token and store it as a GitHub secret (e.g. TF_API_TOKEN) on this repository. +# Documentation: +# - https://www.terraform.io/docs/cloud/users-teams-organizations/api-tokens.html +# - https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets +# +# 3. Reference the GitHub secret in step using the `hashicorp/setup-terraform` GitHub Action. +# Example: +# - name: Setup Terraform +# uses: hashicorp/setup-terraform@v1 +# with: +# cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + +name: 'Terraform' + +on: + push: + branches: [ "main" ] + pull_request: + +permissions: + contents: read + +jobs: + terraform: + name: 'Terraform' + runs-on: ubuntu-latest + environment: production + + # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest + defaults: + run: + shell: bash + + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v4 + + # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init + + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Format + run: terraform fmt -check + + # Generates an execution plan for Terraform + - name: Terraform Plan + run: terraform plan -input=false + + # On push to "main", build or change infrastructure according to Terraform configuration files + # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + - name: Terraform Apply + if: github.ref == 'refs/heads/"main"' && github.event_name == 'push' + run: terraform apply -auto-approve -input=false From 4586b45fde5a41a7b632f891562372d4d8df1fbc Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:28:47 -0500 Subject: [PATCH 12/81] Create alibabacloud.yml --- .github/workflows/alibabacloud.yml | 122 +++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 .github/workflows/alibabacloud.yml diff --git a/.github/workflows/alibabacloud.yml b/.github/workflows/alibabacloud.yml new file mode 100644 index 0000000..94a15c4 --- /dev/null +++ b/.github/workflows/alibabacloud.yml @@ -0,0 +1,122 @@ +# This workflow will build and push a new container image to Alibaba Cloud Container Registry (ACR), +# and then will deploy it to Alibaba Cloud Container Service for Kubernetes (ACK), when there is a push to the "main" branch. +# +# To use this workflow, you will need to complete the following set-up steps: +# +# 1. Create an ACR repository to store your container images. +# You can use ACR EE instance for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/142168.htm +# +# 2. Create an ACK cluster to run your containerized application. +# You can use ACK Pro cluster for more security and better performance. +# For instructions see https://www.alibabacloud.com/help/doc-detail/95108.htm +# +# 3. Store your AccessKey pair in GitHub Actions secrets named `ACCESS_KEY_ID` and `ACCESS_KEY_SECRET`. +# For instructions on setting up secrets see: https://developer.github.com/actions/managing-workflows/storing-secrets/ +# +# 4. Change the values for the REGION_ID, REGISTRY, NAMESPACE, IMAGE, ACK_CLUSTER_ID, and ACK_DEPLOYMENT_NAME. +# + +name: Build and Deploy to ACK + +on: + push: + branches: [ "main" ] + +# Environment variables available to all jobs and steps in this workflow. +env: + REGION_ID: cn-hangzhou + REGISTRY: registry.cn-hangzhou.aliyuncs.com + NAMESPACE: namespace + IMAGE: repo + TAG: ${{ github.sha }} + ACK_CLUSTER_ID: clusterID + ACK_DEPLOYMENT_NAME: nginx-deployment + + ACR_EE_REGISTRY: myregistry.cn-hangzhou.cr.aliyuncs.com + ACR_EE_INSTANCE_ID: instanceID + ACR_EE_NAMESPACE: namespace + ACR_EE_IMAGE: repo + ACR_EE_TAG: ${{ github.sha }} + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v4 + + # 1.1 Login to ACR + - name: Login to ACR with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + + # 1.2 Build and push image to ACR + - name: Build and push image to ACR + run: | + docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" . + docker push "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" + + # 1.3 Scan image in ACR + - name: Scan image in ACR + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + repository: "${{ env.NAMESPACE }}/${{ env.IMAGE }}" + tag: "${{ env.TAG }}" + + # 2.1 (Optional) Login to ACR EE + - uses: actions/checkout@v4 + - name: Login to ACR EE with the AccessKey pair + uses: aliyun/acr-login@v1 + with: + login-server: "https://${{ env.ACR_EE_REGISTRY }}" + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + + # 2.2 (Optional) Build and push image ACR EE + - name: Build and push image to ACR EE + run: | + docker build -t "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" . + docker push "$ACR_EE_REGISTRY/$ACR_EE_NAMESPACE/$ACR_EE_IMAGE:$TAG" + # 2.3 (Optional) Scan image in ACR EE + - name: Scan image in ACR EE + uses: aliyun/acr-scan@v1 + with: + region-id: "${{ env.REGION_ID }}" + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + instance-id: "${{ env.ACR_EE_INSTANCE_ID }}" + repository: "${{ env.ACR_EE_NAMESPACE}}/${{ env.ACR_EE_IMAGE }}" + tag: "${{ env.ACR_EE_TAG }}" + + # 3.1 Set ACK context + - name: Set K8s context + uses: aliyun/ack-set-context@v1 + with: + access-key-id: "${{ secrets.ACCESS_KEY_ID }}" + access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}" + cluster-id: "${{ env.ACK_CLUSTER_ID }}" + + # 3.2 Deploy the image to the ACK cluster + - name: Set up Kustomize + run: |- + curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash /dev/stdin 3.8.6 + - name: Deploy + run: |- + ./kustomize edit set image REGISTRY/NAMESPACE/IMAGE:TAG=$REGISTRY/$NAMESPACE/$IMAGE:$TAG + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$ACK_DEPLOYMENT_NAME + kubectl get services -o wide From 56a9ec6653d147c1eacabd9b009e9a80a51e3088 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:29:10 -0500 Subject: [PATCH 13/81] Create ibm.yml --- .github/workflows/ibm.yml | 75 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/ibm.yml diff --git a/.github/workflows/ibm.yml b/.github/workflows/ibm.yml new file mode 100644 index 0000000..f5e8cd8 --- /dev/null +++ b/.github/workflows/ibm.yml @@ -0,0 +1,75 @@ +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when there is a push to the "main" branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains a Dockerfile +# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY +# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT + +name: Build and Deploy to IKS + +on: + push: + branches: [ "main" ] + +# Environment variables available to all jobs and steps in this workflow +env: + GITHUB_SHA: ${{ github.sha }} + IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }} + IBM_CLOUD_REGION: us-south + ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }} + REGISTRY_HOSTNAME: us.icr.io + IMAGE_NAME: iks-test + IKS_CLUSTER: example-iks-cluster-name-or-id + DEPLOYMENT_NAME: iks-test + PORT: 5001 + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + steps: + + - name: Checkout + uses: actions/checkout@v4 + + # Download and Install IBM Cloud CLI + - name: Install IBM Cloud CLI + run: | + curl -fsSL https://clis.cloud.ibm.com/install/linux | sh + ibmcloud --version + ibmcloud config --check-version=false + ibmcloud plugin install -f kubernetes-service + ibmcloud plugin install -f container-registry + + # Authenticate with IBM Cloud CLI + - name: Authenticate with IBM Cloud CLI + run: | + ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default + ibmcloud cr region-set "${IBM_CLOUD_REGION}" + ibmcloud cr login + + # Build the Docker image + - name: Build with Docker + run: | + docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" . + + # Push the image to IBM Container Registry + - name: Push the image to ICR + run: | + docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA + + # Deploy the Docker image to the IKS cluster + - name: Deploy to IKS + run: | + ibmcloud ks cluster config --cluster $IKS_CLUSTER + kubectl config current-context + kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml + kubectl apply -f deployment.yaml + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml + kubectl apply -f service.yaml + kubectl get services -o wide From 27f3edd8218832434cac4e51bea6224de207e1bb Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:29:38 -0500 Subject: [PATCH 14/81] Create tencent.yml --- .github/workflows/tencent.yml | 79 +++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/tencent.yml diff --git a/.github/workflows/tencent.yml b/.github/workflows/tencent.yml new file mode 100644 index 0000000..9032a26 --- /dev/null +++ b/.github/workflows/tencent.yml @@ -0,0 +1,79 @@ +# This workflow will build a docker container, publish and deploy it to Tencent Kubernetes Engine (TKE) when there is a push to the "main" branch. +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Tencent Kubernetes Engine cluster, +# including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: +# - TENCENT_CLOUD_SECRET_ID with Tencent Cloud secret id +# - TENCENT_CLOUD_SECRET_KEY with Tencent Cloud secret key +# - TENCENT_CLOUD_ACCOUNT_ID with Tencent Cloud account id +# - TKE_REGISTRY_PASSWORD with TKE registry password +# +# 3. Change the values for the TKE_IMAGE_URL, TKE_REGION, TKE_CLUSTER_ID and DEPLOYMENT_NAME environment variables (below). + +name: Tencent Kubernetes Engine + +on: + push: + branches: [ "main" ] + +# Environment variables available to all jobs and steps in this workflow +env: + TKE_IMAGE_URL: ccr.ccs.tencentyun.com/demo/mywebapp + TKE_REGION: ap-guangzhou + TKE_CLUSTER_ID: cls-mywebapp + DEPLOYMENT_NAME: tke-test + +permissions: + contents: read + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + steps: + + - name: Checkout + uses: actions/checkout@v4 + + # Build + - name: Build Docker image + run: | + docker build -t ${TKE_IMAGE_URL}:${GITHUB_SHA} . + + - name: Login TKE Registry + run: | + docker login -u ${{ secrets.TENCENT_CLOUD_ACCOUNT_ID }} -p '${{ secrets.TKE_REGISTRY_PASSWORD }}' ${TKE_IMAGE_URL} + + # Push the Docker image to TKE Registry + - name: Publish + run: | + docker push ${TKE_IMAGE_URL}:${GITHUB_SHA} + + - name: Set up Kustomize + run: | + curl -o kustomize --location https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + - name: Set up ~/.kube/config for connecting TKE cluster + uses: TencentCloud/tke-cluster-credential-action@v1 + with: + secret_id: ${{ secrets.TENCENT_CLOUD_SECRET_ID }} + secret_key: ${{ secrets.TENCENT_CLOUD_SECRET_KEY }} + tke_region: ${{ env.TKE_REGION }} + cluster_id: ${{ env.TKE_CLUSTER_ID }} + + - name: Switch to TKE context + run: | + kubectl config use-context ${TKE_CLUSTER_ID}-context-default + + # Deploy the Docker image to the TKE cluster + - name: Deploy + run: | + ./kustomize edit set image ${TKE_IMAGE_URL}:${GITHUB_SHA} + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/${DEPLOYMENT_NAME} + kubectl get services -o wide From c1071c2299bd262f714115ebbb54b9d8e8803b46 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:30:21 -0500 Subject: [PATCH 15/81] Create openshift.yml --- .github/workflows/openshift.yml | 202 ++++++++++++++++++++++++++++++++ 1 file changed, 202 insertions(+) create mode 100644 .github/workflows/openshift.yml diff --git a/.github/workflows/openshift.yml b/.github/workflows/openshift.yml new file mode 100644 index 0000000..f4e69a9 --- /dev/null +++ b/.github/workflows/openshift.yml @@ -0,0 +1,202 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# ๐Ÿ’ The OpenShift Starter workflow will: +# - Checkout your repository +# - Perform a container image build +# - Push the built image to the GitHub Container Registry (GHCR) +# - Log in to your OpenShift cluster +# - Create an OpenShift app from the image and expose it to the internet + +# โ„น๏ธ Configure your repository and the workflow with the following steps: +# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try +# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to: +# - https://github.com/redhat-actions/oc-login#readme +# - https://docs.github.com/en/actions/reference/encrypted-secrets +# - https://cli.github.com/manual/gh_secret_set +# 3. (Optional) Edit the top-level 'env' section as marked with '๐Ÿ–Š๏ธ' if the defaults are not suitable for your project. +# 4. (Optional) Edit the build-image step to build your project. +# The default build type is by using a Dockerfile at the root of the repository, +# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build. +# 5. Commit and push the workflow file to your default branch to trigger a workflow run. + +# ๐Ÿ‘‹ Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: OpenShift + +env: + # ๐Ÿ–Š๏ธ EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # ๐Ÿ–Š๏ธ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: "" + + # ๐Ÿ–Š๏ธ EDIT to set a name for your OpenShift app, or a default one will be generated below. + APP_NAME: "" + + # ๐Ÿ–Š๏ธ EDIT with the port your application should be accessible on. + # If the container image exposes *exactly one* port, this can be left blank. + # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app + APP_PORT: "" + + # ๐Ÿ–Š๏ธ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + # ๐Ÿ–Š๏ธ EDIT to specify custom tags for the container image, or default tags will be generated below. + IMAGE_TAGS: "" + +on: + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: + push: + # Edit to the branch(es) you want to build and deploy on each push. + branches: [ "main" ] + +jobs: + # ๐Ÿ–Š๏ธ EDIT if you want to run vulnerability check on your project before deploying + # the application. Please uncomment the below CRDA scan job and configure to run it in + # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md + # + # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. + # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows + + #crda-scan: + # uses: ./.github/workflows/crda.yml + # secrets: + # CRDA_KEY: ${{ secrets.CRDA_KEY }} + # # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + + openshift-ci-cd: + # ๐Ÿ–Š๏ธ Uncomment this if you are using CRDA scan step above + # needs: crda-scan + name: Build and deploy to OpenShift + runs-on: ubuntu-20.04 + environment: production + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Check for required secrets + uses: actions/github-script@v6 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`โœ”๏ธ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`โŒ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`โœ… All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v4 + + - name: Determine app name + if: env.APP_NAME == '' + run: | + echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV + + - name: Determine image tags + if: env.IMAGE_TAGS == '' + run: | + echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV + + # https://github.com/redhat-actions/buildah-build#readme + - name: Build from Dockerfile + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.APP_NAME }} + tags: ${{ env.IMAGE_TAGS }} + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. + dockerfiles: | + ./Dockerfile + + # https://github.com/redhat-actions/push-to-registry#readme + - name: Push to registry + id: push-image + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.IMAGE_REGISTRY_USER }} + password: ${{ env.IMAGE_REGISTRY_PASSWORD }} + + # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + # https://github.com/redhat-actions/oc-login#readme + - name: Log in to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + + # This step should create a deployment, service, and route to run your app and expose it to the internet. + # https://github.com/redhat-actions/oc-new-app#readme + - name: Create and expose app + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-image.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} + + - name: Print application URL + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + run: | + [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1) + echo + echo "======================== Your application is available at: ========================" + echo ${{ env.ROUTE }} + echo "===================================================================================" + echo + echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" From e3bd123c73a09b85446be585ba3f0833ece946d3 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:31:39 -0500 Subject: [PATCH 16/81] Create azure-webapps-node.yml --- .github/workflows/azure-webapps-node.yml | 78 ++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 .github/workflows/azure-webapps-node.yml diff --git a/.github/workflows/azure-webapps-node.yml b/.github/workflows/azure-webapps-node.yml new file mode 100644 index 0000000..ac864be --- /dev/null +++ b/.github/workflows/azure-webapps-node.yml @@ -0,0 +1,78 @@ +# This workflow will build and push a node.js application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-nodejs?tabs=linux&pivots=development-environment-cli +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the AZURE_WEBAPP_PACKAGE_PATH and NODE_VERSION environment variables below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +on: + push: + branches: [ "main" ] + workflow_dispatch: + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to your application's name + AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root + NODE_VERSION: '20.x' # set this to the node version to use + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Set up Node.js + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + cache: 'npm' + + - name: npm install, build, and test + run: | + npm install + npm run build --if-present + npm run test --if-present + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: node-app + path: . + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: node-app + + - name: 'Deploy to Azure WebApp' + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} From e5daf57aa48b2bbeea07a612217ed1b0f6dd693b Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:32:49 -0500 Subject: [PATCH 17/81] Create azure-kubernetes-service-kustomize.yml --- .../azure-kubernetes-service-kustomize.yml | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 .github/workflows/azure-kubernetes-service-kustomize.yml diff --git a/.github/workflows/azure-kubernetes-service-kustomize.yml b/.github/workflows/azure-kubernetes-service-kustomize.yml new file mode 100644 index 0000000..ac213c2 --- /dev/null +++ b/.github/workflows/azure-kubernetes-service-kustomize.yml @@ -0,0 +1,121 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kustomize. +# Set your kustomizationPath and kubectl-version to suit your configuration. +# - KUSTOMIZE_PATH (the path where your Kustomize manifests are located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kustomize + +on: + push: + branches: ["main"] + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + KUSTOMIZE_PATH: "your-kustomize-path" + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v4 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v4 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' + + # Runs Kustomize to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kustomize" + kustomizationPath: ${{ env.KUSTOMIZE_PATH }} + kubectl-version: latest + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} From 384d04a336f8386db34310570fc983e8dfbdb05d Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:33:55 -0500 Subject: [PATCH 18/81] Create azure-kubernetes-service-kompose.yml --- .../azure-kubernetes-service-kompose.yml | 121 ++++++++++++++++++ 1 file changed, 121 insertions(+) create mode 100644 .github/workflows/azure-kubernetes-service-kompose.yml diff --git a/.github/workflows/azure-kubernetes-service-kompose.yml b/.github/workflows/azure-kubernetes-service-kompose.yml new file mode 100644 index 0000000..33bcead --- /dev/null +++ b/.github/workflows/azure-kubernetes-service-kompose.yml @@ -0,0 +1,121 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these +# https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# +# 3. Choose the appropriate render engine for the bake step https://github.com/Azure/k8s-bake. The config below assumes Kompose. +# Set your dockerComposeFile and kompose-version to suit your configuration. +# - DOCKER_COMPOSE_FILE_PATH (the path where your Kompose deployment manifest is located) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS with Kompose + +on: + push: + branches: ["main"] + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + DOCKER_COMPOSE_FILE_PATH: "your-docker-compose-file-path" + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v4 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v4 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' + + # Runs Kompose to create manifest files + - name: Bake deployment + uses: azure/k8s-bake@v2 + with: + renderEngine: "kompose" + dockerComposeFile: ${{ env.DOCKER_COMPOSE_FILE_PATH }} + kompose-version: "latest" + id: bake + + # Deploys application based on manifest files from previous step + - name: Deploy application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ steps.bake.outputs.manifestsBundle }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} From 340fb6c00ada521fd6b4628c75eac6b590683e59 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:34:49 -0500 Subject: [PATCH 19/81] Create azure-functions-app-container.yml --- .../azure-functions-app-container.yml | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/azure-functions-app-container.yml diff --git a/.github/workflows/azure-functions-app-container.yml b/.github/workflows/azure-functions-app-container.yml new file mode 100644 index 0000000..aa4a1bd --- /dev/null +++ b/.github/workflows/azure-functions-app-container.yml @@ -0,0 +1,79 @@ +# This workflow will build a container and deploy it to an Azure Functions App on Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/functions-create-function-linux-custom-image?tabs=in-process%2Cbash%2Cazure-cli&pivots=programming-language-csharp +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_RBAC_CREDENTIALS +# - REGISTRY_USERNAME +# - REGISTRY_PASSWORD +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Container Action: https://github.com/Azure/functions-container-action +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy container to Azure Functions App + +on: + push: + branches: ["main"] + +permissions: + contents: read + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + LOGIN_SERVER: 'login-server' # set this to login server for your private container registry (e.g. 'contoso.azurecr.io', 'index.docker.io' ) + REGISTRY: 'your-registry' # set this to proper value for REGISTRY + NAMESPACE: 'your-namespace' # set this to proper value for NAMESPACE + IMAGE: 'your-image' # set this to proper value for IMAGE + TAG: 'your-tag' # set this to proper value for TAG + +jobs: + build-and-deploy: + runs-on: ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + - name: 'Login via Azure CLI' + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} + + - name: 'Docker Login' + uses: azure/docker-login@v1 + with: + login-server: ${{ env.LOGIN_SERVER }} + username: ${{ secrets.REGISTRY_USERNAME }} + password: ${{ secrets.REGISTRY_PASSWORD }} + + - name: 'Compose Customized Docker Image' + shell: bash + run: | + # If your function app project is not located in your repository's root + # Please change the path to your directory for docker build + docker build . -t ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + docker push ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + + - name: 'Run Azure Functions Container Action' + uses: Azure/functions-container-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + image: ${{ env.REGISTRY }}/${{ env.NAMESPACE }}/${{ env.IMAGE }}:${{ env.TAG }} + + # If you want to display or use the functionapp url, then uncomment the task below + #- name: 'Published functionapp url' + # run: | + # echo "${{ steps.fa.outputs.app-url }}" + + - name: Azure logout + run: | + az logout From b99a0e17247176f83caa5ec8814b874b5ad991f6 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:36:11 -0500 Subject: [PATCH 20/81] Create azure-functions-app-nodejs.yml --- .../workflows/azure-functions-app-nodejs.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/azure-functions-app-nodejs.yml diff --git a/.github/workflows/azure-functions-app-nodejs.yml b/.github/workflows/azure-functions-app-nodejs.yml new file mode 100644 index 0000000..cb158eb --- /dev/null +++ b/.github/workflows/azure-functions-app-nodejs.yml @@ -0,0 +1,66 @@ +# This workflow will build a Node.js project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see: +# - https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-node +# - https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-typescript +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy Node.js project to Azure Function App + +on: + push: + branches: ["main"] + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + NODE_VERSION: '20.x' # set this to the node version to use (e.g. '8.x', '10.x', '12.x') + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository + + - name: Setup Node ${{ env.NODE_VERSION }} Environment + uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - name: 'Resolve Project Dependencies Using Npm' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}' + npm install + npm run build --if-present + npm run test --if-present + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC From 75a69c46a6e5ae041125e5474b9a1c8534c2b7b9 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:36:49 -0500 Subject: [PATCH 21/81] Create google-cloudrun-source.yml --- .github/workflows/google-cloudrun-source.yml | 75 ++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/google-cloudrun-source.yml diff --git a/.github/workflows/google-cloudrun-source.yml b/.github/workflows/google-cloudrun-source.yml new file mode 100644 index 0000000..f0191b9 --- /dev/null +++ b/.github/workflows/google-cloudrun-source.yml @@ -0,0 +1,75 @@ +# This workflow will deploy source code on Cloud Run when a commit is pushed to +# the "main" branch. +# +# To configure this workflow: +# +# 1. Enable the following Google Cloud APIs: +# +# - Artifact Registry (artifactregistry.googleapis.com) +# - Cloud Build (cloudbuild.googleapis.com) +# - Cloud Run (run.googleapis.com) +# - IAM Credentials API (iamcredentials.googleapis.com) +# +# You can learn more about enabling APIs at +# https://support.google.com/googleapi/answer/6158841. +# +# 2. Create and configure a Workload Identity Provider for GitHub: +# https://github.com/google-github-actions/auth#preferred-direct-workload-identity-federation. +# +# Depending on how you authenticate, you will need to grant an IAM principal +# permissions on Google Cloud: +# +# - Artifact Registry Administrator (roles/artifactregistry.admin) +# - Cloud Run Source Developer (roles/run.sourceDeveloper) +# +# You can learn more about setting IAM permissions at +# https://cloud.google.com/iam/docs/manage-access-other-resources. +# +# 3. Change the values in the "env" block to match your values. + +name: 'Deploy to Cloud Run from Source' + +on: + push: + branches: + - '"main"' + +env: + PROJECT_ID: 'my-project' # TODO: update to your Google Cloud project ID + REGION: 'us-central1' # TODO: update to your region + SERVICE: 'my-service' # TODO: update to your service name + +jobs: + deploy: + runs-on: 'ubuntu-latest' + + permissions: + contents: 'read' + id-token: 'write' + + steps: + - name: 'Checkout' + uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # actions/checkout@v4 + + # Configure Workload Identity Federation and generate an access token. + # + # See https://github.com/google-github-actions/auth for more options, + # including authenticating via a JSON credentials file. + - id: 'auth' + name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@f112390a2df9932162083945e46d439060d66ec2' # google-github-actions/auth@v2 + with: + workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider' # TODO: replace with your workload identity provider + + - name: 'Deploy to Cloud Run' + uses: 'google-github-actions/deploy-cloudrun@33553064113a37d688aa6937bacbdc481580be17' # google-github-actions/deploy-cloudrun@v2 + with: + service: '${{ env.SERVICE }}' + region: '${{ env.REGION }}' + # NOTE: If using a different source folder, update the image name below: + source: './' + + # If required, use the Cloud Run URL output in later steps + - name: 'Show output' + run: |- + echo ${{ steps.deploy.outputs.url }} From 2f5005a3558bf88f7f29393984715470537f3398 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:37:33 -0500 Subject: [PATCH 22/81] Create azure-kubernetes-service.yml --- .../workflows/azure-kubernetes-service.yml | 108 ++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 .github/workflows/azure-kubernetes-service.yml diff --git a/.github/workflows/azure-kubernetes-service.yml b/.github/workflows/azure-kubernetes-service.yml new file mode 100644 index 0000000..1ff5b6b --- /dev/null +++ b/.github/workflows/azure-kubernetes-service.yml @@ -0,0 +1,108 @@ +# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code +# +# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) +# The ACR should be attached to the AKS cluster +# For instructions see: +# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal +# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal +# - https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters +# - https://github.com/Azure/aks-create-action +# +# To configure this workflow: +# +# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): +# - AZURE_CLIENT_ID +# - AZURE_TENANT_ID +# - AZURE_SUBSCRIPTION_ID +# +# 2. Set the following environment variables (or replace the values below): +# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) +# - RESOURCE_GROUP (where your cluster is deployed) +# - CLUSTER_NAME (name of your AKS cluster) +# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) +# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) +# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) +# +# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions +# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples +# For more options with the actions used below please refer to https://github.com/Azure/login + +name: Build and deploy an app to AKS + +on: + push: + branches: ["main"] + workflow_dispatch: + +env: + AZURE_CONTAINER_REGISTRY: "your-azure-container-registry" + CONTAINER_NAME: "your-container-name" + RESOURCE_GROUP: "your-resource-group" + CLUSTER_NAME: "your-cluster-name" + DEPLOYMENT_MANIFEST_PATH: "your-deployment-manifest-path" + +jobs: + buildImage: + permissions: + contents: read + id-token: write + runs-on: ubuntu-latest + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v4 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Builds and pushes an image up to your Azure Container Registry + - name: Build and push image to ACR + run: | + az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} . + + deploy: + permissions: + actions: read + contents: read + id-token: write + runs-on: ubuntu-latest + needs: [buildImage] + steps: + # Checks out the repository this file is in + - uses: actions/checkout@v4 + + # Logs in with your Azure credentials + - name: Azure login + uses: azure/login@v1.4.6 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + # Use kubelogin to configure your kubeconfig for Azure auth + - name: Set up kubelogin for non-interactive login + uses: azure/use-kubelogin@v1 + with: + kubelogin-version: 'v0.0.25' + + # Retrieves your Azure Kubernetes Service cluster's kubeconfig file + - name: Get K8s context + uses: azure/aks-set-context@v3 + with: + resource-group: ${{ env.RESOURCE_GROUP }} + cluster-name: ${{ env.CLUSTER_NAME }} + admin: 'false' + use-kubelogin: 'true' + + # Deploys application based on given manifest file + - name: Deploys application + uses: Azure/k8s-deploy@v4 + with: + action: deploy + manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} + images: | + ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} From 35adbf9179ba7de23e2edf9f57d420c4f03cd606 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:38:07 -0500 Subject: [PATCH 23/81] Create azure-functions-app-dotnet.yml --- .../workflows/azure-functions-app-dotnet.yml | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/azure-functions-app-dotnet.yml diff --git a/.github/workflows/azure-functions-app-dotnet.yml b/.github/workflows/azure-functions-app-dotnet.yml new file mode 100644 index 0000000..0f87700 --- /dev/null +++ b/.github/workflows/azure-functions-app-dotnet.yml @@ -0,0 +1,62 @@ +# This workflow will build a .NET Core project and deploy it to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-csharp?tabs=in-process +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy DotNet project to Azure Function App + +on: + push: + branches: ["main"] + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + DOTNET_VERSION: '6.0.x' # set this to the dotnet version to use (e.g. '2.1.x', '3.1.x', '5.0.x') + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository + + - name: Setup DotNet ${{ env.DOTNET_VERSION }} Environment + uses: actions/setup-dotnet@v4 + with: + dotnet-version: ${{ env.DOTNET_VERSION }} + + - name: 'Resolve Project Dependencies Using Dotnet' + shell: pwsh # For Linux, use bash + run: | + pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}' + dotnet build --configuration Release --output ./output + popd + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: '${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}/output' + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC From 5366e4fa3fdeb7bc4d6a93bac90c16d44ffc5fbd Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:39:24 -0500 Subject: [PATCH 24/81] Create azure-functions-app-powershell.yml --- .../azure-functions-app-powershell.yml | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/azure-functions-app-powershell.yml diff --git a/.github/workflows/azure-functions-app-powershell.yml b/.github/workflows/azure-functions-app-powershell.yml new file mode 100644 index 0000000..848994e --- /dev/null +++ b/.github/workflows/azure-functions-app-powershell.yml @@ -0,0 +1,49 @@ +# This workflow will deploy a PowerShell project to an Azure Functions App on Windows or Linux when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure Functions app. +# For instructions see https://learn.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-powershell +# +# To configure this workflow: +# 1. Set up the following secrets in your repository: +# - AZURE_FUNCTIONAPP_PUBLISH_PROFILE +# 2. Change env variables for your configuration. +# +# For more information on: +# - GitHub Actions for Azure: https://github.com/Azure/Actions +# - Azure Functions Action: https://github.com/Azure/functions-action +# - Publish Profile: https://github.com/Azure/functions-action#using-publish-profile-as-deployment-credential-recommended +# - Azure Service Principal for RBAC: https://github.com/Azure/functions-action#using-azure-service-principal-for-rbac-as-deployment-credential +# +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples/tree/master/FunctionApp + +name: Deploy PowerShell project to Azure Function App + +on: + push: + branches: ["main"] + +env: + AZURE_FUNCTIONAPP_NAME: 'your-app-name' # set this to your function app name on Azure + AZURE_FUNCTIONAPP_PACKAGE_PATH: '.' # set this to the path to your function app project, defaults to the repository root + +jobs: + build-and-deploy: + runs-on: windows-latest # For Linux, use ubuntu-latest + environment: dev + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + # If you want to use Azure RBAC instead of Publish Profile, then uncomment the task below + # - name: 'Login via Azure CLI' + # uses: azure/login@v1 + # with: + # creds: ${{ secrets.AZURE_RBAC_CREDENTIALS }} # set up AZURE_RBAC_CREDENTIALS secrets in your repository + + - name: 'Run Azure Functions Action' + uses: Azure/functions-action@v1 + id: fa + with: + app-name: ${{ env.AZURE_FUNCTIONAPP_NAME }} + package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }} + publish-profile: ${{ secrets.AZURE_FUNCTIONAPP_PUBLISH_PROFILE }} # Remove publish-profile to use Azure RBAC From 2442cf23f214b5d59c970a00fb247402efb1998a Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:42:03 -0500 Subject: [PATCH 25/81] Create azure-webapps-java-jar.yml --- .github/workflows/azure-webapps-java-jar.yml | 79 ++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/azure-webapps-java-jar.yml diff --git a/.github/workflows/azure-webapps-java-jar.yml b/.github/workflows/azure-webapps-java-jar.yml new file mode 100644 index 0000000..4f48af1 --- /dev/null +++ b/.github/workflows/azure-webapps-java-jar.yml @@ -0,0 +1,79 @@ +# This workflow will build and push a Java application to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-java?tabs=javase&pivots=platform-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Change the value for the AZURE_WEBAPP_NAME. Optionally, change the JAVA_VERSION environment variable below. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy JAR app to Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + JAVA_VERSION: '11' # set this to the Java version to use + DISTRIBUTION: zulu # set this to the Java distribution + +on: + push: + branches: [ "main" ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Set up Java version + uses: actions/setup-java@v4 + with: + java-version: ${{ env.JAVA_VERSION }} + distribution: ${{ env.DISTRIBUTION }} + cache: 'maven' + + - name: Build with Maven + run: mvn clean install + + - name: Upload artifact for deployment job + uses: actions/upload-artifact@v3 + with: + name: java-app + path: '${{ github.workspace }}/target/*.jar' + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Download artifact from build job + uses: actions/download-artifact@v3 + with: + name: java-app + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + package: '*.jar' From d5f4d43d778c020648995125d6631cdc05b24ecb Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:44:39 -0500 Subject: [PATCH 26/81] Create azure-container-webapp.yml --- .github/workflows/azure-container-webapp.yml | 86 ++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/azure-container-webapp.yml diff --git a/.github/workflows/azure-container-webapp.yml b/.github/workflows/azure-container-webapp.yml new file mode 100644 index 0000000..8259ede --- /dev/null +++ b/.github/workflows/azure-container-webapp.yml @@ -0,0 +1,86 @@ +# This workflow will build and push a Docker container to an Azure Web App when a commit is pushed to your default branch. +# +# This workflow assumes you have already created the target Azure App Service web app. +# For instructions see https://docs.microsoft.com/en-us/azure/app-service/quickstart-custom-container?tabs=dotnet&pivots=container-linux +# +# To configure this workflow: +# +# 1. Download the Publish Profile for your Azure Web App. You can download this file from the Overview page of your Web App in the Azure Portal. +# For more information: https://docs.microsoft.com/en-us/azure/app-service/deploy-github-actions?tabs=applevel#generate-deployment-credentials +# +# 2. Create a secret in your repository named AZURE_WEBAPP_PUBLISH_PROFILE, paste the publish profile contents as the value of the secret. +# For instructions on obtaining the publish profile see: https://docs.microsoft.com/azure/app-service/deploy-github-actions#configure-the-github-secret +# +# 3. Create a GitHub Personal access token with "repo" and "read:packages" permissions. +# +# 4. Create three app settings on your Azure Web app: +# DOCKER_REGISTRY_SERVER_URL: Set this to "https://ghcr.io" +# DOCKER_REGISTRY_SERVER_USERNAME: Set this to the GitHub username or organization that owns the repository +# DOCKER_REGISTRY_SERVER_PASSWORD: Set this to the value of your PAT token from the previous step +# +# 5. Change the value for the AZURE_WEBAPP_NAME. +# +# For more information on GitHub Actions for Azure: https://github.com/Azure/Actions +# For more information on the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy +# For more samples to get started with GitHub Action workflows to deploy to Azure: https://github.com/Azure/actions-workflow-samples + +name: Build and deploy a container to an Azure Web App + +env: + AZURE_WEBAPP_NAME: your-app-name # set this to the name of your Azure Web App + +on: + push: + branches: [ "main" ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + - name: Log in to GitHub container registry + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ github.token }} + + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Build and push container image to registry + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + push: true + tags: ghcr.io/${{ env.REPO }}:${{ github.sha }} + file: ./Dockerfile + + deploy: + permissions: + contents: none + runs-on: ubuntu-latest + needs: build + environment: + name: 'Development' + url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} + + steps: + - name: Lowercase the repo name and username + run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV} + + - name: Deploy to Azure Web App + id: deploy-to-webapp + uses: azure/webapps-deploy@v2 + with: + app-name: ${{ env.AZURE_WEBAPP_NAME }} + publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} + images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}' From 90c3ea9741cbb259f095b08fcffa22f8dfb29dc7 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:46:19 -0500 Subject: [PATCH 27/81] Create azure-staticwebapp.yml --- .github/workflows/azure-staticwebapp.yml | 70 ++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 .github/workflows/azure-staticwebapp.yml diff --git a/.github/workflows/azure-staticwebapp.yml b/.github/workflows/azure-staticwebapp.yml new file mode 100644 index 0000000..185018e --- /dev/null +++ b/.github/workflows/azure-staticwebapp.yml @@ -0,0 +1,70 @@ +# This workflow will build and push a web application to an Azure Static Web App when you change your code. +# +# This workflow assumes you have already created the target Azure Static Web App. +# For instructions see https://docs.microsoft.com/azure/static-web-apps/get-started-portal?tabs=vanilla-javascript +# +# To configure this workflow: +# +# 1. Set up a secret in your repository named AZURE_STATIC_WEB_APPS_API_TOKEN with the value of your Static Web Apps deployment token. +# For instructions on obtaining the deployment token see: https://docs.microsoft.com/azure/static-web-apps/deployment-token-management +# +# 3. Change the values for the APP_LOCATION, API_LOCATION and APP_ARTIFACT_LOCATION, AZURE_STATIC_WEB_APPS_API_TOKEN environment variables (below). +# For instructions on setting up the appropriate configuration values go to https://docs.microsoft.com/azure/static-web-apps/front-end-frameworks +name: Deploy web app to Azure Static Web Apps + +on: + push: + branches: [ "main" ] + pull_request: + types: [opened, synchronize, reopened, closed] + branches: [ "main" ] + +# Environment variables available to all jobs and steps in this workflow +env: + APP_LOCATION: "/" # location of your client code + API_LOCATION: "api" # location of your api source code - optional + APP_ARTIFACT_LOCATION: "build" # location of client code build output + AZURE_STATIC_WEB_APPS_API_TOKEN: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing deployment token for your static web app + +permissions: + contents: read + +jobs: + build_and_deploy_job: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: write # for Azure/static-web-apps-deploy to comment on PRs + if: github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed') + runs-on: ubuntu-latest + name: Build and Deploy Job + steps: + - uses: actions/checkout@v4 + with: + submodules: true + - name: Build And Deploy + id: builddeploy + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + repo_token: ${{ secrets.GITHUB_TOKEN }} # Used for Github integrations (i.e. PR comments) + action: "upload" + ###### Repository/Build Configurations - These values can be configured to match you app requirements. ###### + # For more information regarding Static Web App workflow configurations, please visit: https://aka.ms/swaworkflowconfig + app_location: ${{ env.APP_LOCATION }} + api_location: ${{ env.API_LOCATION }} + app_artifact_location: ${{ env.APP_ARTIFACT_LOCATION }} + ###### End of Repository/Build Configurations ###### + + close_pull_request_job: + permissions: + contents: none + if: github.event_name == 'pull_request' && github.event.action == 'closed' + runs-on: ubuntu-latest + name: Close Pull Request Job + steps: + - name: Close Pull Request + id: closepullrequest + uses: Azure/static-web-apps-deploy@v1 + with: + azure_static_web_apps_api_token: ${{ env.AZURE_STATIC_WEB_APPS_API_TOKEN }} # secret containing api token for app + action: "close" From 1b9849fa15a7d29ec426351c06024074a4e11ad2 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:48:39 -0500 Subject: [PATCH 28/81] Create codeql.yml --- .github/workflows/codeql.yml | 92 ++++++++++++++++++++++++++++++++++++ 1 file changed, 92 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..04406a3 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,92 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '18 1 * * 5' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + # CodeQL supports the following values keywords for 'language': 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # โ„น๏ธ Command-line programs to run using the OS shell. + # ๐Ÿ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" From 742eff7eb92bcd86d8140ebc3370e665404cc42b Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:50:06 -0500 Subject: [PATCH 29/81] Create dependency-review.yml --- .github/workflows/dependency-review.yml | 39 +++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..d19e21b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,39 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable +# packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency review' +on: + pull_request: + branches: [ "main" ] + +# If using a dependency submission action in this workflow this permission will need to be set to: +# +# permissions: +# contents: write +# +# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api +permissions: + contents: read + # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option + pull-requests: write + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options. + with: + comment-summary-in-pr: always + # fail-on-severity: moderate + # deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + # retry-on-snapshot-warnings: true From be24ae0473144f2c84a6e08c5fcb90850536dffb Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:50:27 -0500 Subject: [PATCH 30/81] Create apisec-scan.yml --- .github/workflows/apisec-scan.yml | 71 +++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/apisec-scan.yml diff --git a/.github/workflows/apisec-scan.yml b/.github/workflows/apisec-scan.yml new file mode 100644 index 0000000..a3a8bcb --- /dev/null +++ b/.github/workflows/apisec-scan.yml @@ -0,0 +1,71 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# APIsec addresses the critical need to secure APIs before they reach production. +# APIsec provides the industryโ€™s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. +# Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities. + +# How to Get Started with APIsec.ai +# 1. Schedule a demo at https://www.apisec.ai/request-a-demo . +# +# 2. Register your account at https://cloud.apisec.ai/#/signup . +# +# 3. Register your API . See the video (https://www.youtube.com/watch?v=MK3Xo9Dbvac) to get up and running with APIsec quickly. +# +# 4. Get GitHub Actions scan attributes from APIsec Project -> Configurations -> Integrations -> CI-CD -> GitHub Actions +# +# apisec-run-scan +# +# This action triggers the on-demand scans for projects registered in APIsec. +# If your GitHub account allows code scanning alerts, you can then upload the sarif file generated by this action to show the scan findings. +# Else you can view the scan results from the project home page in APIsec Platform. +# The link to view the scan results is also displayed on the console on successful completion of action. + +# This is a starter workflow to help you get started with APIsec-Scan Actions + +name: APIsec + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '44 8 * * 0' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + + +permissions: + contents: read + +jobs: + + Trigger_APIsec_scan: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: APIsec scan + uses: apisec-inc/apisec-run-scan@025432089674a28ba8fb55f8ab06c10215e772ea + with: + # The APIsec username with which the scans will be executed + apisec-username: ${{ secrets.apisec_username }} + # The Password of the APIsec user with which the scans will be executed + apisec-password: ${{ secrets.apisec_password}} + # The name of the project for security scan + apisec-project: "VAmPI" + # The name of the sarif format result file The file is written only if this property is provided. + sarif-result-file: "apisec-results.sarif" + - name: Import results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ./apisec-results.sarif From d203b9947954d54fe33d1e421eeabf382413df95 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:51:06 -0500 Subject: [PATCH 31/81] Create bandit.yml --- .github/workflows/bandit.yml | 52 ++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/bandit.yml diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml new file mode 100644 index 0000000..1d0dabc --- /dev/null +++ b/.github/workflows/bandit.yml @@ -0,0 +1,52 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Bandit is a security linter designed to find common security issues in Python code. +# This action will run Bandit on your codebase. +# The results of the scan will be found under the Security tab of your repository. + +# https://github.com/marketplace/actions/bandit-scan is ISC licensed, by abirismyname +# https://pypi.org/project/bandit/ is Apache v2.0 licensed, by PyCQA + +name: Bandit +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '24 20 * * 3' + +jobs: + bandit: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Bandit Scan + uses: shundor/python-bandit-scan@9cc5aa4a006482b8a7f91134412df6772dbda22c + with: # optional arguments + # exit with 0, even with results found + exit_zero: true # optional, default is DEFAULT + # Github token of the repository (automatically created by Github) + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information. + # File or directory to run bandit on + # path: # optional, default is . + # Report only issues of a given severity level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # level: # optional, default is UNDEFINED + # Report only issues of a given confidence level or higher. Can be LOW, MEDIUM or HIGH. Default is UNDEFINED (everything) + # confidence: # optional, default is UNDEFINED + # comma-separated list of paths (glob patterns supported) to exclude from scan (note that these are in addition to the excluded paths provided in the config file) (default: .svn,CVS,.bzr,.hg,.git,__pycache__,.tox,.eggs,*.egg) + # excluded_paths: # optional, default is DEFAULT + # comma-separated list of test IDs to skip + # skips: # optional, default is DEFAULT + # path to a .bandit file that supplies command line arguments + # ini_path: # optional, default is DEFAULT + From 883e29959df0b7d0bf318fc3e55f1aff13a437d6 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:51:33 -0500 Subject: [PATCH 32/81] Create checkmarx-one.yml --- .github/workflows/checkmarx-one.yml | 55 +++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/checkmarx-one.yml diff --git a/.github/workflows/checkmarx-one.yml b/.github/workflows/checkmarx-one.yml new file mode 100644 index 0000000..16b78a3 --- /dev/null +++ b/.github/workflows/checkmarx-one.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. +# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository +# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling +# scan customization using the full functionality and flexibility of the CLI tool. + +# This is a basic workflow to help you get started with Using Checkmarx One Action, +# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html + +name: Checkmarx Scan + +# Controls when the workflow will run +on: + pull_request: + types: [opened, reopened, synchronize] + branches: [ "main" ] + +permissions: + contents: read + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "build" + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif + + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # This step checks out a copy of your repository. + - name: Checkout repository + uses: actions/checkout@v4 + # This step creates the Checkmarx One scan + - name: Checkmarx One scan + uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc + with: + base_uri: https://ast.checkmarx.net # This should be replaced by your base uri for Checkmarx One + cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e + cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One + additional_params: --report-format sarif --output-path . + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: cx_result.sarif From 6653ab934e334e8fe5a5435bfb244f89d2ad9af2 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:52:20 -0500 Subject: [PATCH 33/81] Create checkmarx.yml --- .github/workflows/checkmarx.yml | 55 +++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/checkmarx.yml diff --git a/.github/workflows/checkmarx.yml b/.github/workflows/checkmarx.yml new file mode 100644 index 0000000..eaa0c6a --- /dev/null +++ b/.github/workflows/checkmarx.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This is a basic workflow to help you get started with Using Checkmarx CxFlow Action + +name: CxFlow + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '18 7 * * 0' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel - this job is specifically configured to use the Checkmarx CxFlow Action +permissions: + contents: read + +jobs: + # This workflow contains a single job called "build" + build: + # The type of runner that the job will run on - Ubuntu is required as Docker is leveraged for the action + permissions: + contents: read # for actions/checkout to fetch code + issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues + pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional) + steps: + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it + - uses: actions/checkout@v4 + # Runs the Checkmarx Scan leveraging the latest version of CxFlow - REFER to Action README for list of inputs + - name: Checkmarx CxFlow Action + uses: checkmarx-ts/checkmarx-cxflow-github-action@49d8269b14ca87910ba003d47a31fa0c7a11f2fe + with: + project: ${{ secrets.CHECKMARX_PROJECT }} + team: ${{ secrets.CHECKMARX_TEAMS }} + checkmarx_url: ${{ secrets.CHECKMARX_URL }} + checkmarx_username: ${{ secrets.CHECKMARX_USERNAME }} + checkmarx_password: ${{ secrets.CHECKMARX_PASSWORD }} + checkmarx_client_secret: ${{ secrets.CHECKMARX_CLIENT_SECRET }} + scanners: sast + params: --namespace=${{ github.repository_owner }} --repo-name=${{ github.event.repository.name }} --branch=${{ github.ref }} --cx-flow.filter-severity --cx-flow.filter-category --checkmarx.disable-clubbing=true --repo-url=${{ github.event.repository.url }} + # Upload the Report for CodeQL/Security Alerts + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: cx.sarif From 6dc47ddedc4bdbad275338281999ee00ef32439e Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:52:48 -0500 Subject: [PATCH 34/81] Create codacy.yml --- .github/workflows/codacy.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/codacy.yml diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml new file mode 100644 index 0000000..69dd906 --- /dev/null +++ b/.github/workflows/codacy.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, performs a Codacy security scan +# and integrates the results with the +# GitHub Advanced Security code scanning feature. For more information on +# the Codacy security scan action usage and parameters, see +# https://github.com/codacy/codacy-analysis-cli-action. +# For more information on Codacy Analysis CLI in general, see +# https://github.com/codacy/codacy-analysis-cli. + +name: Codacy Security Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '37 4 * * 5' + +permissions: + contents: read + +jobs: + codacy-security-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Codacy Security Scan + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout code + uses: actions/checkout@v4 + + # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis + - name: Run Codacy Analysis CLI + uses: codacy/codacy-analysis-cli-action@d840f886c4bd4edc059706d09c6a1586111c540b + with: + # Check https://github.com/codacy/codacy-analysis-cli#project-token to get your project token from your Codacy repository + # You can also omit the token and run the tools that support default configurations + project-token: ${{ secrets.CODACY_PROJECT_TOKEN }} + verbose: true + output: results.sarif + format: sarif + # Adjust severity of non-security issues + gh-code-scanning-compat: true + # Force 0 exit code to allow SARIF file generation + # This will handover control about PR rejection to the GitHub side + max-allowed-issues: 2147483647 + + # Upload the SARIF file generated in the previous step + - name: Upload SARIF results file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 6eeccac4439dc85ca6f03deccb6f28e6f689cd78 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:53:18 -0500 Subject: [PATCH 35/81] Create crda.yml --- .github/workflows/crda.yml | 126 +++++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 .github/workflows/crda.yml diff --git a/.github/workflows/crda.yml b/.github/workflows/crda.yml new file mode 100644 index 0000000..816db83 --- /dev/null +++ b/.github/workflows/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# ๐Ÿ’ The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# โ„น๏ธ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# ๐Ÿ‘‹ Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ "main" ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ "main" ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-20.04 + steps: + + - name: Check out repository + uses: actions/checkout@v2 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v4 + # with: + # node-version: '20' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload From bc7db1227f3186c799080e0cca86021b02a6c534 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:53:47 -0500 Subject: [PATCH 36/81] Create debricked.yml --- .github/workflows/debricked.yml | 43 +++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/debricked.yml diff --git a/.github/workflows/debricked.yml b/.github/workflows/debricked.yml new file mode 100644 index 0000000..79b0a07 --- /dev/null +++ b/.github/workflows/debricked.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +##################################################################################################################################################################### +# Use this workflow template as a basis for integrating Debricked into your GitHub workflows. # +# # +# If you need additional assistance with configuration feel free to contact us via chat or email at support@debricked.com # +# To learn more about Debricked or contact our team, visit https://debricked.com/ # +# # +# To run this workflow, complete the following set-up steps: # +# # +# 1. If you donโ€™t have a Debricked account, create one by visiting https://debricked.com/app/en/register # +# 2. Generate your Debricked access token, by following the steps mentioned in https://portal.debricked.com/administration-47/how-do-i-generate-an-access-token-130 # +# 3. In GitHub, navigate to the repository # +# 4. Click on โ€œSettingsโ€ (If you cannot see the โ€œSettingsโ€ tab, select the dropdown menu, then click โ€œSettingsโ€) # +# 5. In the โ€œSecurityโ€ section click on โ€œSecrets and variablesโ€, then click โ€œActionsโ€ # +# 6. In the โ€œSecretsโ€ tab, click on โ€œNew repository secretโ€ # +# 7. In the โ€œNameโ€ field, type the name of the secret # +# 8. In the โ€œSecretโ€ field, enter the value of the secret # +# 9. Click โ€œAdd secretโ€ # +# 10. You should now be ready to use the workflow! # +##################################################################################################################################################################### + +name: Debricked Scan + +on: + push: + +permissions: + contents: read + +jobs: + vulnerabilities-scan: + name: Vulnerabilities scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - uses: debricked/actions@v3 + env: + DEBRICKED_TOKEN: ${{ secrets.DEBRICKED_TOKEN }} From bb906a18246d9b9bb93089f7cafb138d2fb97375 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:54:16 -0500 Subject: [PATCH 37/81] Create defender-for-devops.yml --- .github/workflows/defender-for-devops.yml | 47 +++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/defender-for-devops.yml diff --git a/.github/workflows/defender-for-devops.yml b/.github/workflows/defender-for-devops.yml new file mode 100644 index 0000000..9dd9867 --- /dev/null +++ b/.github/workflows/defender-for-devops.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools +# (including, but not limited to, SDL/security and compliance tools). +# +# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue, +# as well as Windows self hosted agents. ubuntu-latest support coming soon. +# +# For more information about the action , check out https://github.com/microsoft/security-devops-action +# +# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration +# and provide permission before this can report data back to azure. +# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github + +name: "Microsoft Defender For Devops" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '39 8 * * 6' + +jobs: + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 5.0.x + 6.0.x + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} From 147bcc05cb45410e26a38fe0ecfa0cb43e4f3c43 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:54:42 -0500 Subject: [PATCH 38/81] Create devskim.yml --- .github/workflows/devskim.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/devskim.yml diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml new file mode 100644 index 0000000..600e08c --- /dev/null +++ b/.github/workflows/devskim.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '31 19 * * 3' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: devskim-results.sarif From 88c36b5452e7d6917eef9f3d14ab6287899c080b Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:55:10 -0500 Subject: [PATCH 39/81] Create endorlabs.yml --- .github/workflows/endorlabs.yml | 51 +++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/endorlabs.yml diff --git a/.github/workflows/endorlabs.yml b/.github/workflows/endorlabs.yml new file mode 100644 index 0000000..1364a8f --- /dev/null +++ b/.github/workflows/endorlabs.yml @@ -0,0 +1,51 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Endor Labs +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '33 2 * * 1' +jobs: + scan: + permissions: + security-events: write # Used to upload sarif artifact to GitHub + contents: read # Used to checkout a private repository by actions/checkout. + actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. + id-token: write # Used for keyless authentication to Endor Labs + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + #### Package Build Instructions + ### Use this section to define the build steps used by your software package. + ### Endor Labs builds your software for you where possible but the required build tools must be made available. + # - name: Setup Java + # uses: actions/setup-java@v4 + # with: + # distribution: 'microsoft' + # java-version: '17' + # - name: Build Package + # run: mvn clean install + - name: Endor Labs scan pull request + if: github.event_name == 'pull_request' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + sarif_file: findings.sarif + - name: Endor Labs scan monitor + if: github.event_name == 'push' + uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c + with: + namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. + ci_run: "false" + sarif_file: findings.sarif + - name: Upload SARIF to github + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: findings.sarif From 19615af283acb20bd3a80f85c53ef6245eb7e6f4 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:56:35 -0500 Subject: [PATCH 40/81] Create ethicalcheck.yml --- .github/workflows/ethicalcheck.yml | 69 ++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 .github/workflows/ethicalcheck.yml diff --git a/.github/workflows/ethicalcheck.yml b/.github/workflows/ethicalcheck.yml new file mode 100644 index 0000000..1df9efd --- /dev/null +++ b/.github/workflows/ethicalcheck.yml @@ -0,0 +1,69 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industryโ€™s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck โ€“ our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '29 8 * * 5' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: + contents: read + +jobs: + Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://netbanking.apisec.ai:8080/v2/api-docs" + # The email address to which the penetration test report will be sent. + email: "xxx@apisec.ai" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ./ethicalcheck-results.sarif + From 7e45881c4f28a2dc07532bd4cad3b7e1d34df193 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 04:59:28 -0500 Subject: [PATCH 41/81] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 584817e16b2fa357f88550c8ba94fa0b7e57cdf9 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 05:05:18 -0500 Subject: [PATCH 42/81] Create fortify.yml --- .github/workflows/fortify.yml | 84 +++++++++++++++++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 .github/workflows/fortify.yml diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml new file mode 100644 index 0000000..d4872a6 --- /dev/null +++ b/.github/workflows/fortify.yml @@ -0,0 +1,84 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify Application Security provides your team with solutions to empower DevSecOps practices, enable cloud transformation, and secure your # +# software supply chain. To learn more about Fortify, start a free trial or contact our sales team, visit fortify.com. # +# # +# Use this starter workflow as a basis for integrating Fortify Application Security Testing into your GitHub workflows. This template # +# demonstrates the steps to package the code+dependencies, initiate a scan, and optionally import SAST vulnerabilities into GitHub Security # +# Code Scanning Alerts. Additional information is available in the workflow comments and the Fortify AST Action / fcli / Fortify product # +# documentation. If you need additional assistance, please contact Fortify support. # +################################################################################################################################################ + +name: Fortify AST Scan + +# Customize trigger events based on your DevSecOps process and/or policy +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '44 7 * * 4' + workflow_dispatch: + +jobs: + Fortify-AST-Scan: + # Use the appropriate runner for building your source code. Ensure dev tools required to build your code are present and configured appropriately (MSBuild, Python, etc). + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v4 + + # Java is required to run the various Fortify utilities. Ensuring proper version is installed on the runner. + - name: Setup Java + uses: actions/setup-java@v4 + with: + java-version: 17 + distribution: 'temurin' + + # Perform SAST and optionally SCA scan via Fortify on Demand/Fortify Hosted/Software Security Center, then + # optionally export SAST results to the GitHub code scanning dashboard. In case further customization is + # required, you can use sub-actions like fortify/github-action/setup@v1 to set up the various Fortify tools + # and run them directly from within your pipeline; see https://github.com/fortify/github-action#readme for + # details. + - name: Run FoD SAST Scan + uses: fortify/github-action@a92347297e02391b857e7015792cd1926a4cd418 + with: + sast-scan: true + env: + ### Required configuration when integrating with Fortify on Demand + FOD_URL: https://ams.fortify.com + FOD_TENANT: ${{secrets.FOD_TENANT}} + FOD_USER: ${{secrets.FOD_USER}} + FOD_PASSWORD: ${{secrets.FOD_PAT}} + ### Optional configuration when integrating with Fortify on Demand + # EXTRA_PACKAGE_OPTS: -oss # Extra 'scancentral package' options, like '-oss'' if + # Debricked SCA scan is enabled on Fortify on Demand + # EXTRA_FOD_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli fod session login' options + # FOD_RELEASE: MyApp:MyRelease # FoD release name, default: /:; may + # replace app+release name with numeric release ID + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard + ### Required configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # SSC_URL: ${{secrets.SSC_URL}} # SSC URL + # SSC_TOKEN: ${{secrets.SSC_TOKEN}} # SSC CIToken or AutomationToken + # SC_SAST_TOKEN: ${{secrets.SC_SAST_TOKEN}} # ScanCentral SAST client auth token + # SC_SAST_SENSOR_VERSION: ${{vars.SC_SAST_SENSOR_VERSION}} # Sensor version on which to run the scan; + # usually defined as organization or repo variable + ### Optional configuration when integrating with Fortify Hosted / Software Security Center & ScanCentral + # EXTRA_SC_SAST_LOGIN_OPTS: --socket-timeout=60s # Extra 'fcli sc-sast session login' options + # SSC_APPVERSION: MyApp:MyVersion # SSC application version, default: /: + # EXTRA_PACKAGE_OPTS: -bv myCustomPom.xml # Extra 'scancentral package' options + # DO_WAIT: true # Wait for scan completion, implied if 'DO_EXPORT: true' + # DO_EXPORT: true # Export SAST results to GitHub code scanning dashboard From 1b18521a86dbad632be0dca03989d598fbb0e691 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:42:29 -0500 Subject: [PATCH 43/81] Create phpmd.yml --- .github/workflows/phpmd.yml | 57 +++++++++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 .github/workflows/phpmd.yml diff --git a/.github/workflows/phpmd.yml b/.github/workflows/phpmd.yml new file mode 100644 index 0000000..3d2b94c --- /dev/null +++ b/.github/workflows/phpmd.yml @@ -0,0 +1,57 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# PHPMD is a spin-off project of PHP Depend and +# aims to be a PHP equivalent of the well known Java tool PMD. +# What PHPMD does is: It takes a given PHP source code base +# and look for several potential problems within that source. +# These problems can be things like: +# Possible bugs +# Suboptimal code +# Overcomplicated expressions +# Unused parameters, methods, properties +# More details at https://phpmd.org/ + +name: PHPMD + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '20 21 * * 5' + +permissions: + contents: read + +jobs: + PHPMD: + name: Run PHPMD scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup PHP + uses: shivammathur/setup-php@aa1fe473f9c687b6fb896056d771232c0bc41161 + with: + coverage: none + tools: phpmd + + - name: Run PHPMD + run: phpmd . sarif codesize --reportfile phpmd-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: phpmd-results.sarif + wait-for-processing: true From 2cec8620cc4b756e56ffb69a5e96e235d6b07196 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:43:12 -0500 Subject: [PATCH 44/81] Create codescan.yml --- .github/workflows/codescan.yml | 49 ++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/codescan.yml diff --git a/.github/workflows/codescan.yml b/.github/workflows/codescan.yml new file mode 100644 index 0000000..401e649 --- /dev/null +++ b/.github/workflows/codescan.yml @@ -0,0 +1,49 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow requires that you have an existing account with codescan.io +# For more information about configuring your workflow, +# read our documentation at https://github.com/codescan-io/codescan-scanner-action +name: CodeScan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '25 22 * * 0' + +permissions: + contents: read + +jobs: + CodeScan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Cache files + uses: actions/cache@v3 + with: + path: | + ~/.sonar + key: ${{ runner.os }}-sonar + restore-keys: ${{ runner.os }}-sonar + - name: Run Analysis + uses: codescan-io/codescan-scanner-action@5b2e8c5683ef6a5adc8fa3b7950bb07debccce12 + with: + login: ${{ secrets.CODESCAN_AUTH_TOKEN }} + organization: ${{ secrets.CODESCAN_ORGANIZATION_KEY }} + projectKey: ${{ secrets.CODESCAN_PROJECT_KEY }} + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: codescan.sarif From 91dfa20a1f6621a38297dea12a0ade9b6c7582c5 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:43:47 -0500 Subject: [PATCH 45/81] Create pmd.yml --- .github/workflows/pmd.yml | 43 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/pmd.yml diff --git a/.github/workflows/pmd.yml b/.github/workflows/pmd.yml new file mode 100644 index 0000000..eeed2fe --- /dev/null +++ b/.github/workflows/pmd.yml @@ -0,0 +1,43 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: pmd + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '33 18 * * 5' + +permissions: + contents: read + +jobs: + pmd-code-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'temurin' + - name: Run PMD + id: pmd + uses: pmd/pmd-github-action@967a81f8b657c87f7c3e96b62301cb1a48efef29 + with: + rulesets: 'rulesets/java/quickstart.xml' + sourcePath: 'src/main/java' + analyzeModifiedFilesOnly: false + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: pmd-report.sarif From 7e116f1eb1f9f49a1a28c90307435add9f65ffdc Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:44:25 -0500 Subject: [PATCH 46/81] Create prisma.yml --- .github/workflows/prisma.yml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/prisma.yml diff --git a/.github/workflows/prisma.yml b/.github/workflows/prisma.yml new file mode 100644 index 0000000..c37b3ba --- /dev/null +++ b/.github/workflows/prisma.yml @@ -0,0 +1,61 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow that checks for security issues using +# the Prisma Cloud Infrastructure as Code Scan Action on +# the IaC files present in the repository. +# The results are uploaded to GitHub Security Code Scanning +# +# For more details on the Action configuration see https://github.com/prisma-cloud-shiftleft/iac-scan-action + +name: Prisma Cloud IaC Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '33 22 * * 0' + +permissions: + contents: read + +jobs: + prisma_cloud_iac_scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + name: Run Prisma Cloud IaC Scan to check + steps: + - name: Checkout + uses: actions/checkout@v4 + - id: iac-scan + name: Run Scan on CFT files in the repository + uses: prisma-cloud-shiftleft/iac-scan-action@53278c231c438216d99b463308a3cbed351ba0c3 + with: + # You will need Prisma Cloud API Access Token + # More details in https://github.com/prisma-cloud-shiftleft/iac-scan-action + prisma_api_url: ${{ secrets.PRISMA_CLOUD_API_URL }} + access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }} + secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }} + # Scan sources on Prisma Cloud are uniquely identified by their name + asset_name: 'my-asset-name' + # The service need to know the type of IaC being scanned + template_type: 'CFT' + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. + # And alternative it to add `continue-on-error: true` to the previous step + if: success() || failure() + with: + # The SARIF Log file name is configurable on scan action + # therefore the file name is best read from the steps output + sarif_file: ${{ steps.iac-scan.outputs.iac_scan_result_sarif_path }} From 4d0bb6a3cfa341e09f859bc92754c4dc2cb4d271 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:44:58 -0500 Subject: [PATCH 47/81] Create appknox.yml --- .github/workflows/appknox.yml | 54 +++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/appknox.yml diff --git a/.github/workflows/appknox.yml b/.github/workflows/appknox.yml new file mode 100644 index 0000000..2481c4d --- /dev/null +++ b/.github/workflows/appknox.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v2 + + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif From 0bbd0bd61b4f2734b244587aaa44a7903746cdb3 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:45:34 -0500 Subject: [PATCH 48/81] Create nowsecure-mobile-sbom.yml --- .github/workflows/nowsecure-mobile-sbom.yml | 55 +++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/nowsecure-mobile-sbom.yml diff --git a/.github/workflows/nowsecure-mobile-sbom.yml b/.github/workflows/nowsecure-mobile-sbom.yml new file mode 100644 index 0000000..a1c7e1f --- /dev/null +++ b/.github/workflows/nowsecure-mobile-sbom.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# NowSecure: The Mobile Security Experts . +# +# To use this workflow, you must have a token for NowSecure Platform. If you are a NowSecure customer, +# you can find it in NowSecure Platform. +# +# If you *are not* a NowSecure customer, click here to sign up for a free trial to get access: +# . +# +# Instructions: +# +# 1. In the settings for your repository, click "Secrets" then "New repository secret". Name the secret "NS_TOKEN" and +# paste in your Platform token. If you do not have a Platform token, or wish to create a new one for GitHub, visit +# NowSecure Platform and go to "Profile & Preferences" then create a token labelled "GitHub". +# +# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository +# and review the "Dependency graph" tab in the "Insights" pane once the action has run. + +name: "NowSecure Mobile SBOM" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '39 4 * * 6' + +permissions: + contents: read + +jobs: + nowsecure: + name: NowSecure Mobile SBOM + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build your application + run: ./gradlew assembleDebug # Update this to build your Android or iOS application + + - name: NowSecure upload app + uses: nowsecure/nowsecure-sbom-action@ecb731b6f17a83fa53f756f9dae2ec7034c5ed7c + with: + token: ${{ secrets.NS_TOKEN }} + app_file: app-debug.apk # Update this to a path to your .ipa or .apk + group_id: {{ groupId }} # Update this to your desired Platform group ID From 6b087e2580a5227bdcc7e081cd28c8400e497ad8 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:46:52 -0500 Subject: [PATCH 49/81] Create msvc.yml --- .github/workflows/msvc.yml | 66 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/msvc.yml diff --git a/.github/workflows/msvc.yml b/.github/workflows/msvc.yml new file mode 100644 index 0000000..b77805d --- /dev/null +++ b/.github/workflows/msvc.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Find more information at: +# https://github.com/microsoft/msvc-code-analysis-action + +name: Microsoft C++ Code Analysis + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '19 10 * * 6' + +env: + # Path to the CMake build directory. + build: '${{ github.workspace }}/build' + +permissions: + contents: read + +jobs: + analyze: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Analyze + runs-on: windows-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Configure CMake + run: cmake -B ${{ env.build }} + + # Build is not required unless generated source files are used + # - name: Build CMake + # run: cmake --build ${{ env.build }} + + - name: Initialize MSVC Code Analysis + uses: microsoft/msvc-code-analysis-action@04825f6d9e00f87422d6bf04e1a38b1f3ed60d99 + # Provide a unique ID to access the sarif output path + id: run-analysis + with: + cmakeBuildDirectory: ${{ env.build }} + # Ruleset file that will determine what checks will be run + ruleset: NativeRecommendedRules.ruleset + + # Upload SARIF file to GitHub Code Scanning Alerts + - name: Upload SARIF to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.run-analysis.outputs.sarif }} + + # Upload SARIF file as an Artifact to download and view + # - name: Upload SARIF as an Artifact + # uses: actions/upload-artifact@v3 + # with: + # name: sarif-file + # path: ${{ steps.run-analysis.outputs.sarif }} From afa1223ce52f2e428fa384e1bcbc189f89b833e6 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:47:28 -0500 Subject: [PATCH 50/81] Create xanitizer.yml --- .github/workflows/xanitizer.yml | 100 ++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 .github/workflows/xanitizer.yml diff --git a/.github/workflows/xanitizer.yml b/.github/workflows/xanitizer.yml new file mode 100644 index 0000000..cf0a5b5 --- /dev/null +++ b/.github/workflows/xanitizer.yml @@ -0,0 +1,100 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow downloads and installs the latest version of Xanitizer, builds your project, runs a Xanitizer security analysis on it, +# and then archives the findings list reports and uploads the findings into the GitHub code scanning alert section of your repository. +# +# Documentation for the `RIGS-IT/xanitizer-action` is located here: https://github.com/RIGS-IT/xanitizer-action +# +# To use this basic workflow, you will need to complete the following setup steps: +# +# 1. The underlying Xanitizer, used in this workflow, needs a separate license file. +# Licenses are free of charge for open source projects and for educational usage. +# To get more information about the Xanitizer licenses and how to obtain a license file, +# please consult https://www.xanitizer.com/xanitizer-pricing/. +# +# 2. The content of the license file has to be stored as a GitHub secret (e.g. XANITIZER_LICENSE) on this repository. +# Please consult https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. +# +# 3. Reference the GitHub secret in the step using the `RIGS-IT/xanitizer-action` GitHub action. +# Example: +# - name: Xanitizer Security Analysis +# uses: RIGS-IT/xanitizer-action@v1 +# with: +# license: ${{ secrets.XANITIZER_LICENSE }} +# +# 4. As a static application security testing (SAST) tool, +# Xanitizer requires that all dependencies of the artifacts being analyzed can be resolved successfully. +# So you have to install all used libraries and build your project before running the security analysis, +# e.g. via `mvn compile` for Java or `npm install` for JavaScript + +name: "Xanitizer Security Analysis" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '44 23 * * 5' + workflow_dispatch: + +permissions: + contents: read + +jobs: + xanitizer-security-analysis: + # Xanitizer runs on ubuntu-latest and windows-latest. + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + # Check out the repository + - name: Checkout + uses: actions/checkout@v4 + + # Set up the correct Java version for your project + # Please comment out, if your project does not contain Java source code. + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: 11 + distribution: 'temurin' + + # Compile the code for Java projects and get all libraries, e.g. via Maven + # Please adapt, if your project uses another build system to compile Java source code. + # Please comment out, if your project does not contain Java source code. + - name: Compile Java code + run: mvn -B compile + + # Install all dependent libraries for JavaScript/TypeScript projects, e.g. via npm + # Please adapt to run `npm install` in the correct directories. + # Please adapt, if your project uses another package manager for getting JavaScript libraries. + # Please comment out, if your project does not use a package manager for getting JavaScript libraries. + - name: Install JavaScript libraries + run: npm install + + # Run the security analysis with default settings + - name: Xanitizer Security Analysis + uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + with: + license: ${{ secrets.XANITIZER_LICENSE }} + + # Archiving the findings list reports + - uses: actions/upload-artifact@v3 + with: + name: Xanitizer-Reports + path: | + *-Findings-List.pdf + *-Findings-List.sarif + + # Uploads the findings into the GitHub code scanning alert section using the upload-sarif action + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: Xanitizer-Findings-List.sarif From 1de85f28fb7a3b6e4f48332737835e3cb4b19c9b Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:48:08 -0500 Subject: [PATCH 51/81] Create datree.yml --- .github/workflows/datree.yml | 47 ++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/datree.yml diff --git a/.github/workflows/datree.yml b/.github/workflows/datree.yml new file mode 100644 index 0000000..539626a --- /dev/null +++ b/.github/workflows/datree.yml @@ -0,0 +1,47 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which checks out your code and scans your desired k8s config files for misconfigurations using the Datree CLI. +# The results are then uploaded to GitHub Security Code Scanning. +# +# For more information and configurations options, see https://github.com/datreeio/action-datree/ + +name: Datree + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + +permissions: + contents: read + +jobs: + datree: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Run Datree policy check + continue-on-error: true + uses: datreeio/action-datree@de67ae7a5133d719dc794e1b75682cd4c5f94d8a + env: + # In order to use the Datree action you will need to have a Datree token. + # See https://hub.datree.io/setup/account-token#1-get-your-account-token-from-the-dashboard to acquire your token. + DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }} + with: + # Add the path to the configuration file/s that you would like to test. + # See https://github.com/datreeio/action-datree#usage for all available options. + path: test-file.yaml + # Setting a SARIF output will generate a file named "datree.sarif" containing your test results + cliArguments: "-o sarif" + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: datree.sarif From fe9c4c4500b199ee8b9aa36d9341b5fbbad778a0 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:48:40 -0500 Subject: [PATCH 52/81] Create puppet-lint.yml --- .github/workflows/puppet-lint.yml | 55 +++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/puppet-lint.yml diff --git a/.github/workflows/puppet-lint.yml b/.github/workflows/puppet-lint.yml new file mode 100644 index 0000000..5541f06 --- /dev/null +++ b/.github/workflows/puppet-lint.yml @@ -0,0 +1,55 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# Puppet Lint tests Puppet code against the recommended Puppet language style guide. +# https://puppet.com/docs/puppet/7/style_guide.html +# Puppet Lint validates only code style; it does not validate syntax. +# To test syntax, use Puppet's puppet parser validate command. +# More details at https://github.com/puppetlabs/puppet-lint/ + +name: puppet-lint + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '21 17 * * 4' + +permissions: + contents: read + +jobs: + puppet-lint: + name: Run puppet-lint scanning + runs-on: ubuntu-latest + permissions: + contents: read # for checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Ruby + uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0 + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Install puppet-lint + run: gem install puppet-lint + + - name: Run puppet-lint + run: puppet-lint . --sarif > puppet-lint-results.sarif + continue-on-error: true + + - name: Upload analysis results to GitHub + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: puppet-lint-results.sarif + wait-for-processing: true From 6a56abb402ba8fdabaa629608dc353244bfe8f17 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:50:22 -0500 Subject: [PATCH 53/81] Create policy-validator-tf.yml --- .github/workflows/policy-validator-tf.yml | 101 ++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/policy-validator-tf.yml diff --git a/.github/workflows/policy-validator-tf.yml b/.github/workflows/policy-validator-tf.yml new file mode 100644 index 0000000..28fd356 --- /dev/null +++ b/.github/workflows/policy-validator-tf.yml @@ -0,0 +1,101 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. + +name: Validate AWS IAM policies in Terraform templates using Policy Validator +on: + push: + branches: ["main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] +env: + AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON + ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + RESOURCES: MY_LIST_OF_RESOURCES # set to pass list of resource ARNs in the format resource1, resource2,.. One of `ACTIONS` or `RESOURCES` is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH }} + actions: ${{ env.ACTIONS }} + resources: ${{ env.RESOURCES }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" + # Run the CHECK_NO_PUBLIC_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckNoPublicAccess check + id: run-aws-check-no-public-access + uses: aws-actions/terraform-aws-iam-policy-validator@26797c40250bf1ee50af8996a2475b9b5a8b8927 #v1.0.2 + with: + policy-check-type: "CHECK_NO_PUBLIC_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_PUBLIC_ACCESS check + - name: Print the result for CheckNoPublicAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-public-access.outputs.result }}" From e6d120bfbc7af36d25710171b28444f6c8181005 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:50:55 -0500 Subject: [PATCH 54/81] Create osv-scanner.yml --- .github/workflows/osv-scanner.yml | 48 +++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/osv-scanner.yml diff --git a/.github/workflows/osv-scanner.yml b/.github/workflows/osv-scanner.yml new file mode 100644 index 0000000..a00ce5d --- /dev/null +++ b/.github/workflows/osv-scanner.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities, +# in addition to a PR check which fails if new vulnerabilities are introduced. +# +# For more examples and options, including how to ignore specific vulnerabilities, +# see https://google.github.io/osv-scanner/github-action/ + +name: OSV-Scanner + +on: + pull_request: + branches: [ "main" ] + merge_group: + branches: [ "main" ] + schedule: + - cron: '43 8 * * 0' + push: + branches: [ "main" ] + +permissions: + # Require writing security events to upload SARIF file to security tab + security-events: write + # Read commit contents + contents: read + +jobs: + scan-scheduled: + if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ + scan-pr: + if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }} + uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1 + with: + # Example of specifying custom arguments + scan-args: |- + -r + --skip-git + ./ From ed803d80dce8a6615fc87739c97cf0898473911c Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:51:55 -0500 Subject: [PATCH 55/81] Create crunch42.yml --- .github/workflows/crunch42.yml | 58 ++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/crunch42.yml diff --git a/.github/workflows/crunch42.yml b/.github/workflows/crunch42.yml new file mode 100644 index 0000000..ad789b0 --- /dev/null +++ b/.github/workflows/crunch42.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow locates REST API file contracts (Swagger or OpenAPI format, v2 and v3, JSON and YAML) +# and runs 300+ security checks on them using 42Crunch Security Audit technology to uncover +# potential vulnerabilities related to authentication, authorization as well as data validation. +# +# Documentation is located here: https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# +# To use this workflow, you need a 42Crunch platform account. If you do not have one, you can contact us +# from this page: https://42crunch.com/request-demo. +# +# 1. Follow steps at https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# to create an API Token on the 42Crunch platform +# +# 2. Create an secret in GitHub as explained in https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm +# and store the 42Crunch API Token in that secret. Expected default is API_TOKEN (see the api-token property in the task). +# +# If you have any questions or need help, open an issue at: https://support.42crunch.com. + +name: "42Crunch REST API Static Security Testing" + +# follow standard Code Scanning triggers +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '20 20 * * 4' + +permissions: + contents: read + +jobs: + rest-api-static-security-testing: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for 42Crunch/api-security-audit-action to upload results to Github Code Scanning + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: 42Crunch REST API Static Security Testing + uses: 42Crunch/api-security-audit-action@fc01ea7a89e6268875868f9d89598af7a9899ae0 + with: + # Please create free account at https://platform.42crunch.com/register + # Follow these steps to configure API_TOKEN https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm + api-token: ${{ secrets.API_TOKEN }} + # Fail if any OpenAPI file scores lower than 75 + min-score: 75 + # Upload results to Github code scanning + upload-to-code-scanning: true + # Github token for uploading the results + github-token: ${{ github.token }} From a327bd2e3f337fd7559eee52e1544b4ac46361d2 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:52:27 -0500 Subject: [PATCH 56/81] Create neuralegion.yml --- .github/workflows/neuralegion.yml | 175 ++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) create mode 100644 .github/workflows/neuralegion.yml diff --git a/.github/workflows/neuralegion.yml b/.github/workflows/neuralegion.yml new file mode 100644 index 0000000..bbb7568 --- /dev/null +++ b/.github/workflows/neuralegion.yml @@ -0,0 +1,175 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# +# Run a Nexploit Scan +# This action runs a new security scan in Nexploit, or reruns an existing one. +# Build Secure Apps & APIs. Fast. +# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love. +# Automatically Tests Every Aspect of Your Apps & APIs +# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports +# Seamlessly integrates with the Tools and Workflows You Already Use +# +# NeuraLegion works with your existing CI/CD pipelines โ€“ trigger scans on every commit, pull request or build with unit testing. +# Spin-Up, Configure and Control Scans with Code +# One file. One command. One scan. No UI needed. +# +# Super-Fast Scans +# +# Interacts with applications and APIs, instead of just crawling them and guessing. +# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks. +# +# No False Positives +# +# Stop chasing ghosts and wasting time. NeuraLegion doesnโ€™t return false positives, so you can focus on releasing code. +# +# Comprehensive Security Testing +# +# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities. +# +# More information is available on NeuraLegionโ€™s: +# * [Website](https://www.neuralegion.com/) +# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart) +# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw) +# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+) +# +# Inputs +# +# `name` +# +# **Required**. Scan name. +# +# _Example:_ `name: GitHub scan ${{ github.sha }}` +# +# `api_token` +# +# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens). +# +# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}` +# +# `restart_scan` +# +# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).
Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements. +# +# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)` +# +# `discovery_types` +# +# **Required**. Array of discovery types. The following types are available: +# * `archive` - uses an uploaded HAR-file for a scan +# * `crawler` - uses a crawler to define the attack surface for a scan +# * `oas` - uses an uploaded OpenAPI schema for a scan
+# If no discovery type is specified, `crawler` is applied by default. +# +# _Example:_ +# +# ```yml +# discovery_types: | +# [ "crawler", "archive" ] +# ``` +# +# `file_id` +# +# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login). +# +# _Example:_ +# +# ``` +# FILE_ID=$(nexploit-cli archive:upload \ +# --token ${{ secrets.NEXPLOIT_TOKEN }} \ +# --discard true \ +# ./example.har) +# ``` +# +# `crawler_urls` +# +# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface. +# +# _Example:_ +# +# ``` +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# ``` +# +# `hosts_filter` +# +# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. +# +# Outputs +# +# `url` +# +# Url of the resulting scan +# +# `id` +# +# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions: +# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues) +# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan) +# +# Example usage +# +# Start a new scan with parameters +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# discovery_types: | +# [ "crawler", "archive" ] +# crawler_urls: | +# [ "http://vulnerable-bank.com" ] +# file_id: LiYknMYSdbSZbqgMaC9Sj +# hosts_filter: | +# [ ] +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" +# ``` +# +# Restart an existing scan +# +# ```yml +# steps: +# - name: Start Nexploit Scan +# id: start +# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe +# with: +# api_token: ${{ secrets.NEXPLOIT_TOKEN }} +# name: GitHub scan ${{ github.sha }} +# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ +# - name: Get the output scan url +# run: echo "The scan was started on ${{ steps.start.outputs.url }}" + + +name: "NeuraLegion" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '39 0 * * 4' + +jobs: + neuralegion_scan: + runs-on: ubuntu-18.04 + name: A job to run a Nexploit scan + steps: + - uses: actions/checkout@v2 + - name: Start Nexploit Scan ๐Ÿ + id: start + uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe + with: + api_token: ${{ secrets.NEURALEGION_TOKEN }} + name: GitHub scan ${{ github.sha }} + discovery_types: | + [ "crawler" ] + crawler_urls: | + [ "https://brokencrystals.com" ] # โœ๏ธ Update this to the url you wish to scan From 0965e9c73f805529930ef7af833fcd26d02b0d47 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:53:22 -0500 Subject: [PATCH 57/81] Create snyk-security.yml --- .github/workflows/snyk-security.yml | 79 +++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 0000000..578dcae --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: ["main" ] + pull_request: + branches: ["main"] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v4 + # with: + # node-version: 20 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk-code.sarif From 840e997c490297860307e7704ee71e5d8938468f Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:53:52 -0500 Subject: [PATCH 58/81] Create veracode.yml --- .github/workflows/veracode.yml | 59 ++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/veracode.yml diff --git a/.github/workflows/veracode.yml b/.github/workflows/veracode.yml new file mode 100644 index 0000000..b5efbed --- /dev/null +++ b/.github/workflows/veracode.yml @@ -0,0 +1,59 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will initiate a Veracode Static Analysis Pipeline scan, return a results.json and convert to SARIF for upload as a code scanning alert + +name: Veracode Static Analysis Pipeline Scan + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '24 20 * * 1' + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +permissions: + contents: read + +jobs: + # This workflow contains a job to build and submit pipeline scan, you will need to customize the build process accordingly and make sure the artifact you build is used as the file input to the pipeline scan file parameter + build-and-pipeline-scan: + # The type of runner that the job will run on + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + + # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it and copies all sources into ZIP file for submitting for analysis. Replace this section with your applications build steps + - uses: actions/checkout@v4 + with: + repository: '' + + - run: zip -r veracode-scan-target.zip ./ + + # download the Veracode Static Analysis Pipeline scan jar + - run: curl --silent --show-error --fail -O https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + - run: unzip -o pipeline-scan-LATEST.zip + + - uses: actions/setup-java@v4 + with: + java-version: 8 + distribution: 'temurin' + - run: java -jar pipeline-scan.jar --veracode_api_id "${{secrets.VERACODE_API_ID}}" --veracode_api_key "${{secrets.VERACODE_API_KEY}}" --fail_on_severity="Very High, High" --file veracode-scan-target.zip + continue-on-error: true + - name: Convert pipeline scan output to SARIF format + id: convert + uses: veracode/veracode-pipeline-scan-results-to-sarif@ff08ae5b45d5384cb4679932f184c013d34da9be + with: + pipeline-results-json: results.json + - uses: github/codeql-action/upload-sarif@v3 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif From 9c073648e80c693c03ff6d84d4f67f24deaf2823 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 07:57:32 -0500 Subject: [PATCH 59/81] Create python-package-conda.yml --- .github/workflows/python-package-conda.yml | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/python-package-conda.yml diff --git a/.github/workflows/python-package-conda.yml b/.github/workflows/python-package-conda.yml new file mode 100644 index 0000000..f358604 --- /dev/null +++ b/.github/workflows/python-package-conda.yml @@ -0,0 +1,34 @@ +name: Python Package using Conda + +on: [push] + +jobs: + build-linux: + runs-on: ubuntu-latest + strategy: + max-parallel: 5 + + steps: + - uses: actions/checkout@v4 + - name: Set up Python 3.10 + uses: actions/setup-python@v3 + with: + python-version: '3.10' + - name: Add conda to system path + run: | + # $CONDA is an environment variable pointing to the root of the miniconda directory + echo $CONDA/bin >> $GITHUB_PATH + - name: Install dependencies + run: | + conda env update --file environment.yml --name base + - name: Lint with flake8 + run: | + conda install flake8 + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + conda install pytest + pytest From 6ed342932dd0c061046875bd304f53d8e2fff6ec Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:00:13 -0500 Subject: [PATCH 60/81] Create super-linter.yml --- .github/workflows/super-linter.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/super-linter.yml diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml new file mode 100644 index 0000000..af6a923 --- /dev/null +++ b/.github/workflows/super-linter.yml @@ -0,0 +1,29 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +name: Lint Code Base + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From e1c4978c455c6eca5b55ac5acd5a81cd033cb6dc Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:00:41 -0500 Subject: [PATCH 61/81] Create scala.yml --- .github/workflows/scala.yml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/scala.yml diff --git a/.github/workflows/scala.yml b/.github/workflows/scala.yml new file mode 100644 index 0000000..0a8e6a6 --- /dev/null +++ b/.github/workflows/scala.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Scala CI + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 11 + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'temurin' + cache: 'sbt' + - name: Run tests + run: sbt test + # Optional: This step uploads information to the GitHub dependency graph and unblocking Dependabot alerts for the repository + - name: Upload dependency graph + uses: scalacenter/sbt-dependency-submission@ab086b50c947c9774b70f39fc7f6e20ca2706c91 From 84706ed82eddfaf3946324365dfb318322eb1b10 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:01:13 -0500 Subject: [PATCH 62/81] Create gradle.yml --- .github/workflows/gradle.yml | 67 ++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 .github/workflows/gradle.yml diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml new file mode 100644 index 0000000..87d5ecb --- /dev/null +++ b/.github/workflows/gradle.yml @@ -0,0 +1,67 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# This workflow will build a Java project with Gradle and cache/restore any dependencies to improve the workflow execution time +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-java-with-gradle + +name: Java CI with Gradle + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies. + # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md + - name: Setup Gradle + uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 + + - name: Build with Gradle Wrapper + run: ./gradlew build + + # NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html). + # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version. + # + # - name: Setup Gradle + # uses: gradle/actions/setup-gradle@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 + # with: + # gradle-version: '8.9' + # + # - name: Build with Gradle 8.9 + # run: gradle build + + dependency-submission: + + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v4 + - name: Set up JDK 17 + uses: actions/setup-java@v4 + with: + java-version: '17' + distribution: 'temurin' + + # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies. + # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md + - name: Generate and submit dependency graph + uses: gradle/actions/dependency-submission@af1da67850ed9a4cedd57bfd976089dd991e2582 # v4.0.0 From 16cdf3574f0b3600b6c09d16504d99e695f94539 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:01:42 -0500 Subject: [PATCH 63/81] Create npm-grunt.yml --- .github/workflows/npm-grunt.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/npm-grunt.yml diff --git a/.github/workflows/npm-grunt.yml b/.github/workflows/npm-grunt.yml new file mode 100644 index 0000000..5ef7a9a --- /dev/null +++ b/.github/workflows/npm-grunt.yml @@ -0,0 +1,28 @@ +name: NodeJS with Grunt + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + node-version: [18.x, 20.x, 22.x] + + steps: + - uses: actions/checkout@v4 + + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + + - name: Build + run: | + npm install + grunt From 9a177f45e65ce79fc2c35e4f21c0df9598ee596b Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:02:12 -0500 Subject: [PATCH 64/81] Create cmake-single-platform.yml --- .github/workflows/cmake-single-platform.yml | 39 +++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/cmake-single-platform.yml diff --git a/.github/workflows/cmake-single-platform.yml b/.github/workflows/cmake-single-platform.yml new file mode 100644 index 0000000..0ac33d9 --- /dev/null +++ b/.github/workflows/cmake-single-platform.yml @@ -0,0 +1,39 @@ +# This starter workflow is for a CMake project running on a single platform. There is a different starter workflow if you need cross-platform coverage. +# See: https://github.com/actions/starter-workflows/blob/main/ci/cmake-multi-platform.yml +name: CMake on a single platform + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +env: + # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) + BUILD_TYPE: Release + +jobs: + build: + # The CMake configure and build commands are platform agnostic and should work equally well on Windows or Mac. + # You can convert this to a matrix build if you need cross-platform coverage. + # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Configure CMake + # Configure CMake in a 'build' subdirectory. `CMAKE_BUILD_TYPE` is only required if you are using a single-configuration generator such as make. + # See https://cmake.org/cmake/help/latest/variable/CMAKE_BUILD_TYPE.html?highlight=cmake_build_type + run: cmake -B ${{github.workspace}}/build -DCMAKE_BUILD_TYPE=${{env.BUILD_TYPE}} + + - name: Build + # Build your program with the given configuration + run: cmake --build ${{github.workspace}}/build --config ${{env.BUILD_TYPE}} + + - name: Test + working-directory: ${{github.workspace}}/build + # Execute tests defined by the CMake configuration. + # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail + run: ctest -C ${{env.BUILD_TYPE}} + From 9e5b62f2205eb1eaaf0d717ab7f087d64b96836e Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:02:38 -0500 Subject: [PATCH 65/81] Create docker-publish.yml --- .github/workflows/docker-publish.yml | 98 ++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) create mode 100644 .github/workflows/docker-publish.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml new file mode 100644 index 0000000..a960702 --- /dev/null +++ b/.github/workflows/docker-publish.yml @@ -0,0 +1,98 @@ +name: Docker + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +on: + schedule: + - cron: '25 0 * * *' + push: + branches: [ "main" ] + # Publish semver tags as releases. + tags: [ 'v*.*.*' ] + pull_request: + branches: [ "main" ] + +env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} + + +jobs: + build: + + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + # This is used to complete the identity challenge + # with sigstore/fulcio when running outside of PRs. + id-token: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Install the cosign tool except on PR + # https://github.com/sigstore/cosign-installer + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0 + with: + cosign-release: 'v2.2.4' + + # Set up BuildKit Docker container builder to be able to build + # multi-platform images and export cache + # https://github.com/docker/setup-buildx-action + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 + + # Login against a Docker registry except on PR + # https://github.com/docker/login-action + - name: Log into registry ${{ env.REGISTRY }} + if: github.event_name != 'pull_request' + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + # Extract metadata (tags, labels) for Docker + # https://github.com/docker/metadata-action + - name: Extract Docker metadata + id: meta + uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + + # Build and push Docker image with Buildx (don't push on PR) + # https://github.com/docker/build-push-action + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0 + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + # Sign the resulting Docker image digest except on PRs. + # This will only write to the public Rekor transparency log when the Docker + # repository is public to avoid leaking data. If you would like to publish + # transparency data even for private images, pass --force to cosign below. + # https://github.com/sigstore/cosign + - name: Sign the published Docker image + if: ${{ github.event_name != 'pull_request' }} + env: + # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable + TAGS: ${{ steps.meta.outputs.tags }} + DIGEST: ${{ steps.build-and-push.outputs.digest }} + # This step uses the identity token to provision an ephemeral certificate + # against the sigstore community Fulcio instance. + run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} From 0735df10d0b6b1de8e2ee2ae34c7f25eb1e5f2e4 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:03:18 -0500 Subject: [PATCH 66/81] Create ios.yml --- .github/workflows/ios.yml | 44 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/ios.yml diff --git a/.github/workflows/ios.yml b/.github/workflows/ios.yml new file mode 100644 index 0000000..9827103 --- /dev/null +++ b/.github/workflows/ios.yml @@ -0,0 +1,44 @@ +name: iOS starter workflow + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + name: Build and Test default scheme using any available iPhone simulator + runs-on: macos-latest + + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set Default Scheme + run: | + scheme_list=$(xcodebuild -list -json | tr -d "\n") + default=$(echo $scheme_list | ruby -e "require 'json'; puts JSON.parse(STDIN.gets)['project']['targets'][0]") + echo $default | cat >default + echo Using default scheme: $default + - name: Build + env: + scheme: ${{ 'default' }} + platform: ${{ 'iOS Simulator' }} + run: | + # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` + if [ $scheme = default ]; then scheme=$(cat default); fi + if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi + file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` + xcodebuild build-for-testing -scheme "$scheme" -"$filetype_parameter" "$file_to_build" -destination "platform=$platform,name=$device" + - name: Test + env: + scheme: ${{ 'default' }} + platform: ${{ 'iOS Simulator' }} + run: | + # xcrun xctrace returns via stderr, not the expected stdout (see https://developer.apple.com/forums/thread/663959) + device=`xcrun xctrace list devices 2>&1 | grep -oE 'iPhone.*?[^\(]+' | head -1 | awk '{$1=$1;print}' | sed -e "s/ Simulator$//"` + if [ $scheme = default ]; then scheme=$(cat default); fi + if [ "`ls -A | grep -i \\.xcworkspace\$`" ]; then filetype_parameter="workspace" && file_to_build="`ls -A | grep -i \\.xcworkspace\$`"; else filetype_parameter="project" && file_to_build="`ls -A | grep -i \\.xcodeproj\$`"; fi + file_to_build=`echo $file_to_build | awk '{$1=$1;print}'` + xcodebuild test-without-building -scheme "$scheme" -"$filetype_parameter" "$file_to_build" -destination "platform=$platform,name=$device" From ac00f605195a17840215e6014e20dd44a4b8fa1d Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:04:30 -0500 Subject: [PATCH 67/81] Create msbuild.yml --- .github/workflows/msbuild.yml | 44 +++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/msbuild.yml diff --git a/.github/workflows/msbuild.yml b/.github/workflows/msbuild.yml new file mode 100644 index 0000000..43ea450 --- /dev/null +++ b/.github/workflows/msbuild.yml @@ -0,0 +1,44 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: MSBuild + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +env: + # Path to the solution file relative to the root of the project. + SOLUTION_FILE_PATH: . + + # Configuration type to build. + # You can convert this to a build matrix if you need coverage of multiple configuration types. + # https://docs.github.com/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix + BUILD_CONFIGURATION: Release + +permissions: + contents: read + +jobs: + build: + runs-on: windows-latest + + steps: + - uses: actions/checkout@v4 + + - name: Add MSBuild to PATH + uses: microsoft/setup-msbuild@v1.0.2 + + - name: Restore NuGet packages + working-directory: ${{env.GITHUB_WORKSPACE}} + run: nuget restore ${{env.SOLUTION_FILE_PATH}} + + - name: Build + working-directory: ${{env.GITHUB_WORKSPACE}} + # Add additional options to the MSBuild command line here (like platform or verbosity level). + # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference + run: msbuild /m /p:Configuration=${{env.BUILD_CONFIGURATION}} ${{env.SOLUTION_FILE_PATH}} From e8f9ae2cabcb59f6f31940ba23383c556edefc3a Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:05:33 -0500 Subject: [PATCH 68/81] Create clojure.yml --- .github/workflows/clojure.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/clojure.yml diff --git a/.github/workflows/clojure.yml b/.github/workflows/clojure.yml new file mode 100644 index 0000000..5894814 --- /dev/null +++ b/.github/workflows/clojure.yml @@ -0,0 +1,19 @@ +name: Clojure CI + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + run: lein deps + - name: Run tests + run: lein test From 28e0cd99bf0a588ca1299e674e4e5de8632d506a Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:06:35 -0500 Subject: [PATCH 69/81] Create php.yml --- .github/workflows/php.yml | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/php.yml diff --git a/.github/workflows/php.yml b/.github/workflows/php.yml new file mode 100644 index 0000000..7d257b5 --- /dev/null +++ b/.github/workflows/php.yml @@ -0,0 +1,39 @@ +name: PHP Composer + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Validate composer.json and composer.lock + run: composer validate --strict + + - name: Cache Composer packages + id: composer-cache + uses: actions/cache@v3 + with: + path: vendor + key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} + restore-keys: | + ${{ runner.os }}-php- + + - name: Install dependencies + run: composer install --prefer-dist --no-progress + + # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" + # Docs: https://getcomposer.org/doc/articles/scripts.md + + # - name: Run test suite + # run: composer run-script test From 34613c192dbb04f48867191836dd0e6dd2045fef Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:07:21 -0500 Subject: [PATCH 70/81] Create label.yml --- .github/workflows/label.yml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 .github/workflows/label.yml diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml new file mode 100644 index 0000000..4613569 --- /dev/null +++ b/.github/workflows/label.yml @@ -0,0 +1,22 @@ +# This workflow will triage pull requests and apply a label based on the +# paths that are modified in the pull request. +# +# To use this workflow, you will need to set up a .github/labeler.yml +# file with configuration. For more information, see: +# https://github.com/actions/labeler + +name: Labeler +on: [pull_request_target] + +jobs: + label: + + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + + steps: + - uses: actions/labeler@v4 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}" From 8049710646d39dcb44e5797e4556e7897ef95714 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:07:45 -0500 Subject: [PATCH 71/81] Create greetings.yml --- .github/workflows/greetings.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 .github/workflows/greetings.yml diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml new file mode 100644 index 0000000..4677434 --- /dev/null +++ b/.github/workflows/greetings.yml @@ -0,0 +1,16 @@ +name: Greetings + +on: [pull_request_target, issues] + +jobs: + greeting: + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + steps: + - uses: actions/first-interaction@v1 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + issue-message: "Message that will be displayed on users' first issue" + pr-message: "Message that will be displayed on users' first pull request" From 0baaf0e574cc3a64a7a8015f30867b63c3e21f05 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:08:08 -0500 Subject: [PATCH 72/81] Create manual.yml --- .github/workflows/manual.yml | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .github/workflows/manual.yml diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml new file mode 100644 index 0000000..11b2e35 --- /dev/null +++ b/.github/workflows/manual.yml @@ -0,0 +1,32 @@ +# This is a basic workflow that is manually triggered + +name: Manual workflow + +# Controls when the action will run. Workflow runs when manually triggered using the UI +# or API. +on: + workflow_dispatch: + # Inputs the workflow accepts. + inputs: + name: + # Friendly description to be shown in the UI instead of 'name' + description: 'Person to greet' + # Default value if no value is explicitly provided + default: 'World' + # Input has to be provided for the workflow to run + required: true + # The data type of the input + type: string + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "greet" + greet: + # The type of runner that the job will run on + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + # Runs a single command using the runners shell + - name: Send greeting + run: echo "Hello ${{ inputs.name }}" From 93ee28ed3ec8a3af459042b73f4080370d99919f Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:08:37 -0500 Subject: [PATCH 73/81] Create stale.yml --- .github/workflows/stale.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/stale.yml diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml new file mode 100644 index 0000000..817c783 --- /dev/null +++ b/.github/workflows/stale.yml @@ -0,0 +1,27 @@ +# This workflow warns and then closes issues and PRs that have had no activity for a specified amount of time. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/actions/stale +name: Mark stale issues and pull requests + +on: + schedule: + - cron: '17 22 * * *' + +jobs: + stale: + + runs-on: ubuntu-latest + permissions: + issues: write + pull-requests: write + + steps: + - uses: actions/stale@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + stale-issue-message: 'Stale issue message' + stale-pr-message: 'Stale pull request message' + stale-issue-label: 'no-issue-activity' + stale-pr-label: 'no-pr-activity' From b89f44a179bf566b937767fffe4bc80eec5f2d58 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:09:12 -0500 Subject: [PATCH 74/81] Create nextjs.yml --- .github/workflows/nextjs.yml | 93 ++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 .github/workflows/nextjs.yml diff --git a/.github/workflows/nextjs.yml b/.github/workflows/nextjs.yml new file mode 100644 index 0000000..ed74736 --- /dev/null +++ b/.github/workflows/nextjs.yml @@ -0,0 +1,93 @@ +# Sample workflow for building and deploying a Next.js site to GitHub Pages +# +# To get started with Next.js see: https://nextjs.org/docs/getting-started +# +name: Deploy Next.js site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT + exit 0 + else + echo "Unable to determine package manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + uses: actions/configure-pages@v5 + with: + # Automatically inject basePath in your Next.js configuration file and disable + # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized). + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: next + - name: Restore cache + uses: actions/cache@v4 + with: + path: | + .next/cache + # Generate a new cache whenever packages or source files change. + key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }} + # If source files changed but packages didn't, rebuild from a prior cache. + restore-keys: | + ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Next.js + run: ${{ steps.detect-package-manager.outputs.runner }} next build + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./out + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From f4ad06193f1d41367b25c1b158d6e918673a85dc Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:09:33 -0500 Subject: [PATCH 75/81] Create static.yml --- .github/workflows/static.yml | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/static.yml diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml new file mode 100644 index 0000000..f2c9e97 --- /dev/null +++ b/.github/workflows/static.yml @@ -0,0 +1,43 @@ +# Simple workflow for deploying static content to GitHub Pages +name: Deploy static content to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Single deploy job since we're just deploying + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + # Upload entire repository + path: '.' + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 6a2fde9edb4c56c04b8f8609cd5fc730e2395375 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:10:01 -0500 Subject: [PATCH 76/81] Create gatsby.yml --- .github/workflows/gatsby.yml | 97 ++++++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 .github/workflows/gatsby.yml diff --git a/.github/workflows/gatsby.yml b/.github/workflows/gatsby.yml new file mode 100644 index 0000000..9aaecfe --- /dev/null +++ b/.github/workflows/gatsby.yml @@ -0,0 +1,97 @@ +# Sample workflow for building and deploying a Gatsby site to GitHub Pages +# +# To get started with Gatsby see: https://www.gatsbyjs.com/docs/quick-start/ +# +name: Deploy Gatsby site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +# Default to bash +defaults: + run: + shell: bash + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + exit 0 + else + echo "Unable to determine package manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: ${{ steps.detect-package-manager.outputs.manager }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5 + with: + # Automatically inject pathPrefix in your Gatsby configuration file. + # + # You may remove this line if you want to manage the configuration yourself. + static_site_generator: gatsby + - name: Restore cache + uses: actions/cache@v4 + with: + path: | + public + .cache + key: ${{ runner.os }}-gatsby-build-${{ hashFiles('public') }} + restore-keys: | + ${{ runner.os }}-gatsby-build- + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + - name: Build with Gatsby + env: + PREFIX_PATHS: 'true' + run: ${{ steps.detect-package-manager.outputs.manager }} run build + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./public + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From a425c21fc9b797378335cb0f278de8b1cf282b72 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:10:36 -0500 Subject: [PATCH 77/81] Create jekyll-gh-pages.yml --- .github/workflows/jekyll-gh-pages.yml | 51 +++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/jekyll-gh-pages.yml diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml new file mode 100644 index 0000000..e31d81c --- /dev/null +++ b/.github/workflows/jekyll-gh-pages.yml @@ -0,0 +1,51 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 92c1a61831c1b4e40b7c649b2cbc4d64669bd3f0 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:11:04 -0500 Subject: [PATCH 78/81] Create jekyll.yml --- .github/workflows/jekyll.yml | 64 ++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 .github/workflows/jekyll.yml diff --git a/.github/workflows/jekyll.yml b/.github/workflows/jekyll.yml new file mode 100644 index 0000000..68520b5 --- /dev/null +++ b/.github/workflows/jekyll.yml @@ -0,0 +1,64 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Ruby + uses: ruby/setup-ruby@8575951200e472d5f2d95c625da0c7bec8217c42 # v1.161.0 + with: + ruby-version: '3.1' # Not needed with a .ruby-version file + bundler-cache: true # runs 'bundle install' and caches installed gems automatically + cache-version: 0 # Increment this number if you need to re-download cached gems + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + # Outputs to the './_site' directory by default + run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}" + env: + JEKYLL_ENV: production + - name: Upload artifact + # Automatically uploads an artifact from the './_site' directory by default + uses: actions/upload-pages-artifact@v3 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 19145ec989055afaf768d143954a01785b3797cf Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:11:28 -0500 Subject: [PATCH 79/81] Create hugo.yml --- .github/workflows/hugo.yml | 74 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 .github/workflows/hugo.yml diff --git a/.github/workflows/hugo.yml b/.github/workflows/hugo.yml new file mode 100644 index 0000000..a8cf471 --- /dev/null +++ b/.github/workflows/hugo.yml @@ -0,0 +1,74 @@ +# Sample workflow for building and deploying a Hugo site to GitHub Pages +name: Deploy Hugo site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +# Default to bash +defaults: + run: + shell: bash + +jobs: + # Build job + build: + runs-on: ubuntu-latest + env: + HUGO_VERSION: 0.128.0 + steps: + - name: Install Hugo CLI + run: | + wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \ + && sudo dpkg -i ${{ runner.temp }}/hugo.deb + - name: Install Dart Sass + run: sudo snap install dart-sass + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5 + - name: Install Node.js dependencies + run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true" + - name: Build with Hugo + env: + HUGO_CACHEDIR: ${{ runner.temp }}/hugo_cache + HUGO_ENVIRONMENT: production + run: | + hugo \ + --minify \ + --baseURL "${{ steps.pages.outputs.base_url }}/" + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./public + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 2f82ff860864761920713a03c69c84a9a3e6ba36 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:11:58 -0500 Subject: [PATCH 80/81] Create mdbook.yml --- .github/workflows/mdbook.yml | 60 ++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/mdbook.yml diff --git a/.github/workflows/mdbook.yml b/.github/workflows/mdbook.yml new file mode 100644 index 0000000..38e5f36 --- /dev/null +++ b/.github/workflows/mdbook.yml @@ -0,0 +1,60 @@ +# Sample workflow for building and deploying a mdBook site to GitHub Pages +# +# To get started with mdBook see: https://rust-lang.github.io/mdBook/index.html +# +name: Deploy mdBook site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + env: + MDBOOK_VERSION: 0.4.36 + steps: + - uses: actions/checkout@v4 + - name: Install mdBook + run: | + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh + rustup update + cargo install --version ${MDBOOK_VERSION} mdbook + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5 + - name: Build with mdBook + run: mdbook build + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ./book + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 46824dac40ac7c257d10743e65d3240cbf34c7e5 Mon Sep 17 00:00:00 2001 From: Melissa1181 Date: Sat, 21 Sep 2024 08:12:25 -0500 Subject: [PATCH 81/81] Create astro.yml --- .github/workflows/astro.yml | 90 +++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/astro.yml diff --git a/.github/workflows/astro.yml b/.github/workflows/astro.yml new file mode 100644 index 0000000..54d4be4 --- /dev/null +++ b/.github/workflows/astro.yml @@ -0,0 +1,90 @@ +# Sample workflow for building and deploying an Astro site to GitHub Pages +# +# To get started with Astro see: https://docs.astro.build/en/getting-started/ +# +name: Deploy Astro site to Pages + +on: + # Runs on pushes targeting the default branch + push: + branches: ["main"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +env: + BUILD_PATH: "." # default value when not using subfolders + # BUILD_PATH: subfolder + +jobs: + build: + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Detect package manager + id: detect-package-manager + run: | + if [ -f "${{ github.workspace }}/yarn.lock" ]; then + echo "manager=yarn" >> $GITHUB_OUTPUT + echo "command=install" >> $GITHUB_OUTPUT + echo "runner=yarn" >> $GITHUB_OUTPUT + echo "lockfile=yarn.lock" >> $GITHUB_OUTPUT + exit 0 + elif [ -f "${{ github.workspace }}/package.json" ]; then + echo "manager=npm" >> $GITHUB_OUTPUT + echo "command=ci" >> $GITHUB_OUTPUT + echo "runner=npx --no-install" >> $GITHUB_OUTPUT + echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT + exit 0 + else + echo "Unable to determine package manager" + exit 1 + fi + - name: Setup Node + uses: actions/setup-node@v4 + with: + node-version: "20" + cache: ${{ steps.detect-package-manager.outputs.manager }} + cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }} + - name: Setup Pages + id: pages + uses: actions/configure-pages@v5 + - name: Install dependencies + run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }} + working-directory: ${{ env.BUILD_PATH }} + - name: Build with Astro + run: | + ${{ steps.detect-package-manager.outputs.runner }} astro build \ + --site "${{ steps.pages.outputs.origin }}" \ + --base "${{ steps.pages.outputs.base_path }}" + working-directory: ${{ env.BUILD_PATH }} + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + with: + path: ${{ env.BUILD_PATH }}/dist + + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + needs: build + runs-on: ubuntu-latest + name: Deploy + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4