diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 26305925f8..be5d37a99f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,10 +11,6 @@ on: branches: - main - release-* - types: - - opened - - reopened - - synchronize defaults: run: @@ -121,7 +117,7 @@ jobs: with: minor-label: "enhancement" major-label: "change" - publish: ${{ startsWith(github.ref, 'refs/tags/') }} + publish: ${{ github.ref_type == 'tag' }} collapse-after: 20 notes-header: | *Below is the auto-generated changelog, which includes all PRs that went into the release. @@ -130,17 +126,17 @@ jobs: - name: Download Syft uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3 - if: startsWith(github.ref, 'refs/tags/') + if: github.ref_type == 'tag' - name: Install Cosign uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - if: startsWith(github.ref, 'refs/tags/') + if: github.ref_type == 'tag' - name: Build binary uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest - args: ${{ startsWith(github.ref, 'refs/tags/') && 'release' || 'build --snapshot' }} --clean + args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOPATH: ${{ needs.vars.outputs.go_path }} @@ -320,7 +316,6 @@ jobs: NJS_DIR=internal/mode/static/nginx/modules/src NGINX_CONF_DIR=internal/mode/static/nginx/conf - - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 continue-on-error: true @@ -366,7 +361,7 @@ jobs: - name: Package id: package run: | - output=$(helm package ${{ ! startsWith(github.ref, 'refs/tags/') && '--app-version edge --version 0.0.0-edge' || '' }} deploy/helm-chart) + output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} deploy/helm-chart) echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT - name: Push to GitHub Container Registry diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 914ca4f4a0..4233fa0b7d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -11,7 +11,7 @@ on: - main - release-* schedule: - - cron: "39 13 * * 6" + - cron: "39 13 * * 6" # run every Saturday at 13:39 UTC concurrency: group: ${{ github.ref_name }}-codeql @@ -22,19 +22,21 @@ permissions: jobs: analyze: + permissions: + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report name: Analyze runs-on: ubuntu-22.04 - permissions: - actions: read - contents: read - security-events: write strategy: fail-fast: false matrix: language: ["go", "javascript"] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://git.io/codeql-language-support + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ] + # Use only 'java' to analyze code written in Java, Kotlin or both + # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout repository @@ -48,23 +50,32 @@ jobs: # If you wish to specify custom queries, you can do so here or in a config file. # By default, queries listed here will override any specified in a config file. # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - name: Setup Golang Environment + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version-file: go.mod + if: matrix.language == 'go' + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild uses: github/codeql-action/autobuild@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. # - run: | - # make bootstrap - # make release + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@04daf014b50eaf774287bf3f0f1869d4b4c4b913 # v2.21.7 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml index 35e0e4389b..db10aae1ff 100644 --- a/.github/workflows/conformance.yml +++ b/.github/workflows/conformance.yml @@ -11,12 +11,8 @@ on: branches: - main - release-* - types: - - opened - - reopened - - synchronize schedule: - - cron: '0 4 * * *' + - cron: "0 4 * * *" # run every day at 4am UTC concurrency: group: ${{ github.ref_name }}-conformance diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml index 166914c149..d0b368abd1 100644 --- a/.github/workflows/fossa.yml +++ b/.github/workflows/fossa.yml @@ -20,6 +20,7 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - name: Scan uses: fossas/fossa-action@f61a4c0c263690f2ddb54b9822a719c25a7b608f # v1.3.1 with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 1fd295b4b1..fb45b99685 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -87,7 +87,7 @@ jobs: - uses: DavidAnson/markdownlint-cli2-action@3aaa38e446fbd2c288af4291aa0f55d64651050f # v12.0.0 with: config: ${{ github.workspace }}/.markdownlint-cli2.yaml - globs: '**/*.md' + globs: "**/*.md" chart-lint: name: Chart Lint diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e50ce515da..c007c1994e 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -1,28 +1,31 @@ -name: Scorecards supply-chain security +name: OpenSSF Scorecard on: - # Only the default branch is supported. - branch_protection_rule: - types: [created, edited, deleted] + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: # yamllint disable-line rule:empty-values + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - - cron: "27 5 * * 0" + - cron: "27 5 * * 0" # run every Sunday at 5:27 AM UTC push: - branches: ["main"] + branches: + - main # Declare default permissions as read only. permissions: read-all jobs: analysis: - name: Scorecards analysis + name: Scorecard analysis runs-on: ubuntu-22.04 permissions: # Needed to upload the results to code-scanning dashboard. security-events: write - # Used to receive a badge. + # Needed to publish results and get a badge (see publish_results below). id-token: write - # Needs for private repositories. - contents: read - actions: read + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read steps: - name: "Checkout code" @@ -37,10 +40,13 @@ jobs: results_format: sarif repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results for public repositories to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, regardless - # of the value entered here. + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. publish_results: true # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF