Merge branch 'main' into py-bump

tylern12 · Jul 13, 2023 · ef768db · ef768db
2 parents ae3f875 + 1f534a4
commit ef768db
Show file tree

Hide file tree

Showing 32 changed files with 650 additions and 38 deletions.
diff --git a/.github/workflows/label-feature.yml b/.github/workflows/label-feature.yml
@@ -10,7 +10,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Close Issue
- uses: peter-evans/close-issue@v2
+ uses: peter-evans/close-issue@v3
  if: contains(github.event.issue.labels.*.name, 'feature')
  with:
  comment: |

diff --git a/.github/workflows/label-support.yml b/.github/workflows/label-support.yml
@@ -10,7 +10,7 @@ jobs:
  runs-on: ubuntu-latest
  steps:
  - name: Close Issue
- uses: peter-evans/close-issue@v2
+ uses: peter-evans/close-issue@v3
  if: contains(github.event.issue.labels.*.name, 'support')
  with:
  comment: |

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,4 +1,4 @@
-* @actions/starter-workflows
+* @actions/actions-workflow-development-reviewers
 
-/code-scanning/ @actions/advanced-security-code-scanning @actions/starter-workflows
-/pages/ @actions/pages @actions/starter-workflows
+/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers
+/pages/ @actions/pages @actions/actions-workflow-development-reviewers
diff --git a/ci/deno.yml b/ci/deno.yml
@@ -27,7 +27,7 @@ jobs:
 
  - name: Setup Deno
  # uses: denoland/setup-deno@v1
- uses: denoland/setup-deno@9db7f66e8e16b5699a514448ce994936c63f0d54
+ uses: denoland/setup-deno@61fe2df320078202e33d7d5ad347e7dcfa0e8f31 # v1.1.2
  with:
  deno-version: v1.x
 

diff --git a/ci/docker-publish.yml b/ci/docker-publish.yml
@@ -41,10 +41,9 @@ jobs:
  # https://github.com/sigstore/cosign-installer
  - name: Install cosign
  if: github.event_name != 'pull_request'
- uses: sigstore/cosign-installer@f3c664df7af409cb4873aa5068053ba9d61a57b6 #v2.6.0
+ uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
  with:
- cosign-release: 'v1.13.1'
-
+ cosign-release: 'v2.1.1'
 
  # Workaround: https://github.com/docker/build-push-action/issues/461
  - name: Setup Docker buildx
@@ -90,7 +89,9 @@ jobs:
  - name: Sign the published Docker image
  if: ${{ github.event_name != 'pull_request' }}
  env:
- COSIGN_EXPERIMENTAL: "true"
+ # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+ TAGS: ${{ steps.meta.outputs.tags }}
+ DIGEST: ${{ steps.build-and-push.outputs.digest }}
  # This step uses the identity token to provision an ephemeral certificate
  # against the sigstore community Fulcio instance.
- run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }}
+ run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
diff --git a/ci/elixir.yml b/ci/elixir.yml
@@ -23,10 +23,10 @@ jobs:
  steps:
  - uses: actions/checkout@v3
  - name: Set up Elixir
- uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
+ uses: erlef/setup-beam@61e01a43a562a89bfc54c7f9a378ff67b03e4a21 # v1.16.0
  with:
- elixir-version: '1.12.3' # Define the elixir version [required]
- otp-version: '24.1' # Define the OTP version [required]
+ elixir-version: '1.15.2' # [Required] Define the Elixir version
+ otp-version: '26.0' # [Required] Define the Erlang/OTP version
  - name: Restore dependencies cache
  uses: actions/cache@v3
  with:

diff --git a/ci/gem-push.yml b/ci/gem-push.yml
@@ -17,7 +17,10 @@ jobs:
  steps:
  - uses: actions/checkout@v3
  - name: Set up Ruby 2.6
- uses: actions/setup-ruby@v1
+ # To automatically get bug fixes and new Ruby versions for ruby/setup-ruby,
+ # change this to (see https://github.com/ruby/setup-ruby#versioning):
+ # uses: ruby/setup-ruby@v1
+ uses: ruby/setup-ruby@55283cc23133118229fd3f97f9336ee23a179fcf # v1.146.0
  with:
  ruby-version: 2.6.x
 

diff --git a/ci/go.yml b/ci/go.yml
@@ -17,9 +17,9 @@ jobs:
  - uses: actions/checkout@v3
 
  - name: Set up Go
- uses: actions/setup-go@v3
+ uses: actions/setup-go@v4
  with:
- go-version: 1.19
+ go-version: '1.20'
 
  - name: Build
  run: go build -v ./...

diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
@@ -30,14 +30,14 @@ jobs:
  settings-path: ${{ github.workspace }} # location for the settings.xml file
 
  - name: Build with Gradle
- uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+ uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0
  with:
  arguments: build
 
  # The USERNAME and TOKEN need to correspond to the credentials environment variables used in
  # the publishing section of your build.gradle
  - name: Publish to GitHub Packages
- uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+ uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0
  with:
  arguments: publish
  env:

diff --git a/ci/gradle.yml b/ci/gradle.yml
@@ -29,6 +29,6 @@ jobs:
  java-version: '11'
  distribution: 'temurin'
  - name: Build with Gradle
- uses: gradle/gradle-build-action@67421db6bd0bf253fb4bd25b31ebb98943c375e1
+ uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0
  with:
  arguments: build
diff --git a/ci/maven.yml b/ci/maven.yml
@@ -21,10 +21,10 @@ jobs:
 
  steps:
  - uses: actions/checkout@v3
- - name: Set up JDK 11
+ - name: Set up JDK 17
  uses: actions/setup-java@v3
  with:
- java-version: '11'
+ java-version: '17'
  distribution: 'temurin'
  cache: maven
  - name: Build with Maven

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
@@ -23,7 +23,13 @@ on:
 jobs:
  analyze:
  name: Analyze
+ # Runner size impacts CodeQL analysis time. To learn more, please see:
+ # - https://gh.io/recommended-hardware-resources-for-running-codeql
+ # - https://gh.io/supported-runners-and-hardware-resources
+ # - https://gh.io/using-larger-runners
+ # Consider using larger runners for possible analysis time improvements.
  runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+ timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
  permissions:
  actions: read
  contents: read
@@ -55,7 +61,7 @@ jobs:
  # queries: security-extended,security-and-quality
 
 
- # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+ # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
  # If this step fails, then you should remove it and run the build manually (see below)
  - name: Autobuild
  uses: github/codeql-action/autobuild@v2

diff --git a/code-scanning/credo.yml b/code-scanning/credo.yml
@@ -0,0 +1,61 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+
+# Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.
+# https://github.com/rrrene/credo
+#
+# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
+#
+# Instructions:
+# 1. Add :credo as a dependency to your project's mix.exs with version ~> 1.7.0-rc.1 - https://github.com/rrrene/credo#installation-and-usage
+# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
+# and review the "Security" tab once the action has run.
+
+name: Credo
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ security-scan:
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ matrix:
+ otp: [version]
+ elixir: [version]
+ steps:
+ - uses: actions/checkout@v3
+ - uses: erlef/setup-beam@988e02bfe678367a02564f65ca2e37726dc0268f
+ with:
+ otp-version: ${{matrix.otp}}
+ elixir-version: ${{matrix.elixir}}
+ - name: get dependencies
+ run: mix deps.get
+ - name: compile dependencies
+ run: mix deps.compile
+ - name: compile
+ run: mix compile
+ - name: credo-scan
+ run: mix credo --format=sarif > credo_output.sarif
+ - name: upload sarif
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ # Path to SARIF file relative to the root of the repository
+ sarif_file: credo_output.sarif
diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
@@ -17,4 +17,4 @@ jobs:
  - name: 'Checkout Repository'
  uses: actions/checkout@v3
  - name: 'Dependency Review'
- uses: actions/dependency-review-action@v2
+ uses: actions/dependency-review-action@v3
diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml
@@ -0,0 +1,51 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Endor Labs
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+jobs:
+ scan:
+ permissions:
+ security-events: write # Used to upload sarif artifact to GitHub
+ contents: read # Used to checkout a private repository by actions/checkout.
+ actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required.
+ id-token: write # Used for keyless authentication to Endor Labs
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+ #### Package Build Instructions
+ ### Use this section to define the build steps used by your software package.
+ ### Endor Labs builds your software for you where possible but the required build tools must be made availible.
+ # - name: Setup Java
+ # uses: actions/setup-java@v3
+ # with:
+ # distribution: 'microsoft'
+ # java-version: '17'
+ # - name: Build Package
+ # run: mvn clean install
+ - name: Endor Labs scan pull request
+ if: github.event_name == 'pull_request'
+ uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
+ with:
+ namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
+ sarif_file: findings.sarif
+ - name: Endor Labs scan monitor
+ if: github.event_name == 'push'
+ uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c
+ with:
+ namespace: "example" # Modify the namespace to your Endor Labs tenant namespace.
+ ci_run: "false"
+ sarif_file: findings.sarif
+ - name: Upload SARIF to github
+ uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd
+ with:
+ sarif_file: findings.sarif
diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json
@@ -2,7 +2,7 @@
  "name": "CodeQL Analysis",
  "creator": "GitHub",
  "enterprise": true,
- "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby and Kotlin developers.",
+ "description": "Security analysis from GitHub for C, C++, C#, Go, Java, JavaScript, TypeScript, Python, Ruby, Kotlin and Swift developers.",
  "iconName": "octicon mark-github",
- "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin"]
+ "categories": ["Code Scanning", "C", "C++", "C#", "Go", "Java", "JavaScript", "TypeScript", "Python", "Ruby", "Kotlin", "Swift"]
 }
diff --git a/code-scanning/properties/credo.properties.json b/code-scanning/properties/credo.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Credo Scan",
+ "creator": "Credo",
+ "description": "Credo is a static code analysis tool for the Elixir language with a focus on teaching and code consistency.",
+ "iconName": "code",
+ "categories": ["Code Scanning", "Elixir"]
+}
diff --git a/code-scanning/properties/endorlabs.properties.json b/code-scanning/properties/endorlabs.properties.json
@@ -0,0 +1,7 @@
+{
+ "name": "Endor Labs scan",
+ "creator": "Endor Labs",
+ "description": "Identify, prioritize and address open source and code governance issues with Endor Labs.",
+ "iconName": "endorlabs",
+ "categories": ["Code Scanning", "javascript", "python", "java", "php", "c#", "ruby", "go", "kotlin", "scala" ]
+}
diff --git a/code-scanning/properties/psalm.properties.json b/code-scanning/properties/psalm.properties.json
@@ -0,0 +1,10 @@
+{
+ "name": "Psalm Security Scan",
+ "creator": "psalm",
+ "description": "Psalm is a static analysis tool for finding errors in PHP applications",
+ "iconName": "psalm",
+ "categories": [
+ "Code Scanning",
+ "PHP"
+ ]
+}
diff --git a/code-scanning/psalm.yml b/code-scanning/psalm.yml
@@ -0,0 +1,38 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Psalm Security Scan
+
+on:
+ push:
+ branches: [ $default-branch, $protected-branches ]
+ pull_request:
+ # The branches below must be a subset of the branches above
+ branches: [ $default-branch ]
+ schedule:
+ - cron: $cron-weekly
+
+permissions:
+ contents: read
+
+jobs:
+ php-security:
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Psalm Security Scan
+ uses: psalm/psalm-github-security-scan@f3e6fd9432bc3e44aec078572677ce9d2ef9c287
+
+ - name: Upload Security Analysis results to GitHub
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: results.sarif
diff --git a/icons/code.svg b/icons/code.svg