Merge branch 'main' into patch-2

tylern12 · Jul 13, 2023 · bbb14be · bbb14be
2 parents d0ceca4 + d19bb9f
commit bbb14be
Show file tree

Hide file tree

Showing 44 changed files with 828 additions and 112 deletions.
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
  runs-on: ubuntu-latest
 
  steps:
- - uses: actions/stale@v7
+ - uses: actions/stale@v8
  with:
  stale-issue-message: 'This issue has become stale and will be closed automatically within a period of time. Sorry about that.'
  stale-pr-message: 'This pull request has become stale and will be closed automatically within a period of time. Sorry about that.'

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,4 +1,4 @@
-* @actions/starter-workflows
+* @actions/actions-workflow-development-reviewers
 
-/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
-/pages/ @actions/pages @actions/starter-workflows
+/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers
+/pages/ @actions/pages @actions/actions-workflow-development-reviewers
diff --git a/automation/manual.yml b/automation/manual.yml
@@ -15,6 +15,8 @@ on:
  default: 'World'
  # Input has to be provided for the workflow to run
  required: true
+ # The data type of the input
+ type: string
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:
@@ -27,4 +29,4 @@ jobs:
  steps:
  # Runs a single command using the runners shell
  - name: Send greeting
- run: echo "Hello ${{ github.event.inputs.name }}"
+ run: echo "Hello ${{ inputs.name }}"
diff --git a/ci/deno.yml b/ci/deno.yml
@@ -27,7 +27,7 @@ jobs:
 
  - name: Setup Deno
  # uses: denoland/setup-deno@v1
- uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54
+ uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2
  with:
  deno-version: v1.x
 

diff --git a/ci/gem-push.yml b/ci/gem-push.yml
@@ -17,7 +17,10 @@ jobs:
  steps:
  - uses: actions/checkout@v3
  - name: Set up Ruby 2.6
- uses: actions/setup-ruby@v1
+ # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+ # change this to (see https://github.com/ruby/setup-ruby#versioning):
+ # uses: ruby/setup-ruby@v1
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
  with:
  ruby-version: 2.6.x
 

diff --git a/ci/ruby.yml b/ci/ruby.yml
@@ -30,7 +30,7 @@ jobs:
  # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
  # change this to (see https://github.com/ruby/setup-ruby#versioning):
  # uses: ruby/setup-ruby@v1
- uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
  with:
  ruby-version: ${{ matrix.ruby-version }}
  bundler-cache: true # runs 'bundle install' and caches installed gems automatically

diff --git a/ci/rubyonrails.yml b/ci/rubyonrails.yml
@@ -30,7 +30,7 @@ jobs:
  uses: actions/checkout@v3
  # Add or replace dependency steps here
  - name: Install Ruby and gems
- uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
  with:
  bundler-cache: true
  # Add or replace database setup steps here
@@ -46,7 +46,7 @@ jobs:
  - name: Checkout code
  uses: actions/checkout@v3
  - name: Install Ruby and gems
- uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
  with:
  bundler-cache: true
  # Add or replace any other lints here

diff --git a/code-scanning/brakeman.yml b/code-scanning/brakeman.yml
@@ -35,7 +35,7 @@ jobs:
 
  # Customize the ruby version depending on your needs
  - name: Setup Ruby
- uses: ruby/setup-ruby@ee2113536afb7f793eed4ce60e8d3b26db912da4 # v1.127.0
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
  with:
  ruby-version: '2.7'
 

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
@@ -28,7 +28,8 @@ jobs:
  # - https://gh.io/supported-runners-and-hardware-resources
  # - https://gh.io/using-larger-runners
  # Consider using larger runners for possible analysis time improvements. 
- runs-on: ubuntu-latest
+ runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+ timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
  permissions:
  actions: read
  contents: read
@@ -56,11 +57,11 @@ jobs:
  # By default, queries listed here will override any specified in a config file.
  # Prefix the list here with "+" to use these queries and those in the config file.
 
- # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
  # queries: security-extended,security-and-quality
 
 
- # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+ # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
  # If this step fails, then you should remove it and run the build manually (see below)
  - name: Autobuild
  uses: github/codeql-action/autobuild@v2

diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+
+# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.
+# https://github.com/rrrene/credo
+#
+# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
+#
+# Instructions:
+# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Security" tab once the action has run.
+
+name: Credo
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ matrix:
+ otp: [version]
+ elixir: [version]
+ steps:
+ - uses: actions/checkout@v3
+ - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
+ with:
+ otp-version: ${{matrix.otp}}
+ elixir-version: ${{matrix.elixir}}
+ - name: get dependencies
+ run: mix deps.get
+ - name: compile dependencies
+ run: mix deps.compile
+ - name: compile
+ run: mix compile
+ - name: credo-scan
+ run: mix credo --format=sarif > credo_output.sarif
+ - name: upload sarif
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: credo_output.sarif
diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
@@ -77,7 +77,7 @@ jobs:
  fi
 
  DETEKT_DOWNLOAD_URL=$(jq --raw-output '.data.repository.release.releaseAssets.nodes[0].downloadUrl' gh_response.json)
- echo "::set-output name=download_url::$DETEKT_DOWNLOAD_URL"
+ echo "download_url=$DETEKT_DOWNLOAD_URL" >> $GITHUB_OUTPUT
 
  # Sets up the detekt cli
  - name: Setup Detekt

diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml
@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Endor Labs
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+jobs:
+ scan:
+ permissions:
+ security-events: write # Used to upload sarif artifact to GitHub
+ contents: read # Used to checkout a private repository by actions/checkout.
+ actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required.
+ id-token: write # Used for keyless authentication to Endor Labs
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+ #### Package Build Instructions
+ ### Use this section to define the build steps used by your software package.
+ ### Endor Labs builds your software for you where possible but the required build tools must be made availible.
+ # - name: Setup Java
+ # uses: actions/setup-java@v3
+ # with:
+ # distribution: 'microsoft'
+ # java-version: '17'
+ # - name: Build Package
+ # run: mvn clean install
+ - name: Endor Labs scan pull request
+ if: github.event_name == 'pull_request'
+ uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
+ with:
+ namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
+ sarif_file: findings.sarif
+ - name: Endor Labs scan monitor
+ if: github.event_name == 'push'
+ uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
+ with:
+ namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
+ ci_run: "false"
+ sarif_file: findings.sarif
+ - name: Upload SARIF to github
+ uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
+ with:
+ sarif_file: findings.sarif
diff --git a/code-scanning/frogbot-scan-and-fix.yml b/code-scanning/frogbot-scan-and-fix.yml
@@ -7,8 +7,7 @@
 # Uses JFrog Xray to scan the project.
 # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
 
-# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file:
-# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
 
 name: "Frogbot Scan and Fix"
 on:
@@ -26,10 +25,17 @@ jobs:
 
  # IMPORTANT:
  # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
- # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+ # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
 
- - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716
+ - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e
  env:
+ # [Mandatory if the two conditions below are met]
+ # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
+ # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+ #
+ # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
+ # JF_INSTALL_DEPS_CMD: ""
+
  # [Mandatory]
  # JFrog platform URL
  JF_URL: ${{ secrets.JF_URL }}
@@ -38,14 +44,26 @@ jobs:
  # JFrog access token with 'read' permissions on Xray service
  JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
 
- # [Mandatory]
- # The GitHub token automatically generated for the job
- JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
  # [Mandatory if JF_ACCESS_TOKEN is not provided]
  # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
  # JF_USER: ${{ secrets.JF_USER }}
 
  # [Mandatory if JF_ACCESS_TOKEN is not provided]
  # JFrog password. Must be provided with JF_USER
- # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+ # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Optional]
+ # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
+ # in Artifactory, which proxies https://releases.jfrog.io/artifactory
+ # The 'frogbot' executable and other tools it needs will be downloaded through this repository.
+ # JF_RELEASES_REPO: ""
+
+ # [Optional]
+ # Frogbot will download the project dependencies, if they're not cached locally. To download the
+ # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
+ # need to set this value, if it is set in the frogbot-config.yml file.
+ # JF_DEPS_REPO: ""
diff --git a/code-scanning/frogbot-scan-pr.yml b/code-scanning/frogbot-scan-pr.yml
@@ -7,8 +7,7 @@
 # Uses JFrog Xray to scan the project.
 # Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot
 
-# Frogbot uses a frogbot-config.yml file to run. The following article will guide you through the process of creating this file:
-# https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
 
 name: "Frogbot Scan Pull Request"
 on:
@@ -31,10 +30,17 @@ jobs:
 
  # IMPORTANT:
  # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix
- # 2. Frogbot requires a frogbot-config.yml to run. Read more about in the following link - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
+ # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md
 
- - uses: jfrog/frogbot@8daba7e9515dbc898012367c71c1018449cd7716
+ - uses: jfrog/frogbot@3395426f351556d4568e30a6dfd2909dbedae99e
  env:
+ # [Mandatory if the two conditions below are met]
+ # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies
+ # 2. The `installCommand` variable isn't set in your frogbot-config.yml file.
+ #
+ # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
+ # JF_INSTALL_DEPS_CMD: ""
+
  # [Mandatory]
  # JFrog platform URL
  JF_URL: ${{ secrets.JF_URL }}
@@ -43,14 +49,26 @@ jobs:
  # JFrog access token with 'read' permissions on Xray service
  JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
 
- # [Mandatory]
- # The GitHub token automatically generated for the job
- JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
  # [Mandatory if JF_ACCESS_TOKEN is not provided]
  # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
  # JF_USER: ${{ secrets.JF_USER }}
 
  # [Mandatory if JF_ACCESS_TOKEN is not provided]
  # JFrog password. Must be provided with JF_USER
- # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+ # JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
+
+ # [Mandatory]
+ # The GitHub token automatically generated for the job
+ JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ # [Optional]
+ # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository
+ # in Artifactory, which proxies https://releases.jfrog.io/artifactory
+ # The 'frogbot' executable and other tools it needs will be downloaded through this repository.
+ # JF_RELEASES_REPO: ""
+
+ # [Optional]
+ # Frogbot will download the project dependencies, if they're not cached locally. To download the
+ # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no
+ # need to set this value, if it is set in the frogbot-config.yml file.
+ # JF_DEPS_REPO: ""
diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json
@@ -2,7 +2,7 @@
  "name": "CodeQL Analysis",
  "creator": "GitHub",
  "enterprise": true,
- "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.",
+ "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.",
  "iconName": "octicon mark-github",
- "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"]
+ "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"]
 }
diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Credo Scan",
+ "creator": "Credo",
+ "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.",
+ "iconName": "code",
+ "categories": ["Code Scanning", "Elixir"]
+}
diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Endor Labs scan",
+ "creator": "Endor Labs",
+ "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.",
+ "iconName": "endorlabs",
+ "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ]
+}