From 0e56f6458ee06726552dcf4e44cd2645f03a2094 Mon Sep 17 00:00:00 2001 From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com> Date: Wed, 31 Jan 2024 14:30:22 -0500 Subject: [PATCH] chore: dependabot; misc workflow; github actions (#37) Signed-off-by: Christopher Phillips --- .github/actions/bootstrap/action.yaml | 4 +- .github/dependabot.yaml | 7 ++ .github/workflows/codeql-analysis.yml | 73 ++++++++++++++++++++ .github/workflows/dependabot-automation.yaml | 10 +++ .github/workflows/release.yaml | 4 +- .github/workflows/validations.yaml | 2 +- 6 files changed, 95 insertions(+), 5 deletions(-) create mode 100644 .github/dependabot.yaml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/dependabot-automation.yaml diff --git a/.github/actions/bootstrap/action.yaml b/.github/actions/bootstrap/action.yaml index 8a73a47..1b8060e 100644 --- a/.github/actions/bootstrap/action.yaml +++ b/.github/actions/bootstrap/action.yaml @@ -16,13 +16,13 @@ inputs: runs: using: "composite" steps: - - uses: actions/setup-go@v4 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe #v4.1.0 with: go-version: ${{ inputs.go-version }} - name: Restore tool cache id: tool-cache - uses: actions/cache@v3 + uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 #v3.3.2 with: path: ${{ github.workspace }}/.tool key: ${{ inputs.cache-key-prefix }}-${{ runner.os }}-tool-${{ hashFiles('Taskfile.yaml') }}-${{ hashFiles('**/go.sum') }} diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml new file mode 100644 index 0000000..2eecfc7 --- /dev/null +++ b/.github/dependabot.yaml @@ -0,0 +1,7 @@ +version: 2 +updates: + - package-ecosystem: gomod + directory: "/" + schedule: + interval: "daily" + open-pull-requests-limit: 10 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..3a025f2 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,73 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +name: "CodeQL Security Scan" + +on: + push: + branches: + # only run when there are pushes to the main branch (not on PRs) + - main + + schedule: + - cron: '0 0 * * 3' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below list + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] + language: ['go', 'python'] + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 + + - name: Install Go + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 #v5.0.0 + with: + go-version-file: go.mod + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 #v3.23.2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 #v3.23.2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 #v3.23.2 diff --git a/.github/workflows/dependabot-automation.yaml b/.github/workflows/dependabot-automation.yaml new file mode 100644 index 0000000..1c3ded2 --- /dev/null +++ b/.github/workflows/dependabot-automation.yaml @@ -0,0 +1,10 @@ +name: Dependabot Automation +on: + pull_request: + +permissions: + pull-requests: write + +jobs: + run: + uses: anchore/workflows/.github/workflows/dependabot-automation.yaml@main diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 851e318..c8fd9fe 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -18,7 +18,7 @@ jobs: environment: release runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - name: Check if tag already exists # note: this will fail if the tag already exists @@ -50,7 +50,7 @@ jobs: issues: read pull-requests: read steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: fetch-depth: 0 diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml index f4bc4d3..0b57ee1 100644 --- a/.github/workflows/validations.yaml +++ b/.github/workflows/validations.yaml @@ -20,7 +20,7 @@ jobs: name: "Validations" runs-on: ubuntu-22.04 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - name: Bootstrap environment uses: ./.github/actions/bootstrap