From 3b2065b15973f540a61e36c976137d8d0c5951b0 Mon Sep 17 00:00:00 2001 From: "whitesource-bolt-for-github[bot]" <42819689+whitesource-bolt-for-github[bot]@users.noreply.github.com> Date: Fri, 24 Sep 2021 22:00:13 +0000 Subject: [PATCH 01/14] Add .whitesource configuration file --- .whitesource | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 .whitesource diff --git a/.whitesource b/.whitesource new file mode 100644 index 0000000..55b922e --- /dev/null +++ b/.whitesource @@ -0,0 +1,12 @@ +{ + "scanSettings": { + "baseBranches": [] + }, + "checkRunSettings": { + "vulnerableCheckRunConclusionLevel": "failure", + "displayMode": "diff" + }, + "issueSettings": { + "minSeverityLevel": "LOW" + } +} \ No newline at end of file From a13610b60068f09f8b25f1542d50d8fb9ca63033 Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:00:36 -0700 Subject: [PATCH 02/14] google.yml --- .github/workflows/google.yml | 80 ++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/google.yml diff --git a/.github/workflows/google.yml b/.github/workflows/google.yml new file mode 100644 index 0000000..5e803ed --- /dev/null +++ b/.github/workflows/google.yml @@ -0,0 +1,80 @@ +# This workflow will build a docker container, publish it to Google Container Registry, and deploy it to GKE when a release is created +# +# To configure this workflow: +# +# 1. Ensure that your repository contains the necessary configuration for your Google Kubernetes Engine cluster, including deployment.yml, kustomization.yml, service.yml, etc. +# +# 2. Set up secrets in your workspace: GKE_PROJECT with the name of the project and GKE_SA_KEY with the Base64 encoded JSON service account key (https://github.com/GoogleCloudPlatform/github-actions/tree/docs/service-account-key/setup-gcloud#inputs). +# +# 3. Change the values for the GKE_ZONE, GKE_CLUSTER, IMAGE, and DEPLOYMENT_NAME environment variables (below). +# +# For more support on how to run the workflow, please visit https://github.com/google-github-actions/setup-gcloud/tree/master/example-workflows/gke + +name: Build and Deploy to GKE + +on: + release: + types: [created] + +env: + PROJECT_ID: ${{ secrets.GKE_PROJECT }} + GKE_CLUSTER: cluster-1 # TODO: update to cluster name + GKE_ZONE: us-central1-c # TODO: update to cluster zone + DEPLOYMENT_NAME: gke-test # TODO: update to deployment name + IMAGE: static-site + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + + steps: + - name: Checkout + uses: actions/checkout@v2 + + # Setup gcloud CLI + - uses: google-github-actions/setup-gcloud@v0.2.0 + with: + service_account_key: ${{ secrets.GKE_SA_KEY }} + project_id: ${{ secrets.GKE_PROJECT }} + + # Configure Docker to use the gcloud command-line tool as a credential + # helper for authentication + - run: |- + gcloud --quiet auth configure-docker + + # Get the GKE credentials so we can deploy to the cluster + - uses: google-github-actions/get-gke-credentials@v0.2.1 + with: + cluster_name: ${{ env.GKE_CLUSTER }} + location: ${{ env.GKE_ZONE }} + credentials: ${{ secrets.GKE_SA_KEY }} + + # Build the Docker image + - name: Build + run: |- + docker build \ + --tag "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" \ + . + + # Push the Docker image to Google Container Registry + - name: Publish + run: |- + docker push "gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA" + + # Set up kustomize + - name: Set up Kustomize + run: |- + curl -sfLo kustomize https://github.com/kubernetes-sigs/kustomize/releases/download/v3.1.0/kustomize_3.1.0_linux_amd64 + chmod u+x ./kustomize + + # Deploy the Docker image to the GKE cluster + - name: Deploy + run: |- + ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/$PROJECT_ID/$IMAGE:$GITHUB_SHA + ./kustomize build . | kubectl apply -f - + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl get services -o wide From 1d951caddce0c011bbf013bc0d178832741ffd34 Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:01:07 -0700 Subject: [PATCH 03/14] ibm_WATSONtraining.yml --- .github/workflows/ibm.yml | 75 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/ibm.yml diff --git a/.github/workflows/ibm.yml b/.github/workflows/ibm.yml new file mode 100644 index 0000000..a8502cd --- /dev/null +++ b/.github/workflows/ibm.yml @@ -0,0 +1,75 @@ +# This workflow will build a docker container, publish it to IBM Container Registry, and deploy it to IKS when a release is created +# +# To configure this workflow: +# +# 1. Ensure that your repository contains a Dockerfile +# 2. Setup secrets in your repository by going to settings: Create ICR_NAMESPACE and IBM_CLOUD_API_KEY +# 3. Change the values for the IBM_CLOUD_REGION, REGISTRY_HOSTNAME, IMAGE_NAME, IKS_CLUSTER, DEPLOYMENT_NAME, and PORT + +name: Build and Deploy to IKS + +on: + release: + types: [created] + +# Environment variables available to all jobs and steps in this workflow +env: + GITHUB_SHA: ${{ github.sha }} + IBM_CLOUD_API_KEY: ${{ secrets.IBM_CLOUD_API_KEY }} + IBM_CLOUD_REGION: us-south + ICR_NAMESPACE: ${{ secrets.ICR_NAMESPACE }} + REGISTRY_HOSTNAME: us.icr.io + IMAGE_NAME: iks-test + IKS_CLUSTER: example-iks-cluster-name-or-id + DEPLOYMENT_NAME: iks-test + PORT: 5001 + +jobs: + setup-build-publish-deploy: + name: Setup, Build, Publish, and Deploy + runs-on: ubuntu-latest + environment: production + steps: + + - name: Checkout + uses: actions/checkout@v2 + + # Download and Install IBM Cloud CLI + - name: Install IBM Cloud CLI + run: | + curl -fsSL https://clis.cloud.ibm.com/install/linux | sh + ibmcloud --version + ibmcloud config --check-version=false + ibmcloud plugin install -f kubernetes-service + ibmcloud plugin install -f container-registry + + # Authenticate with IBM Cloud CLI + - name: Authenticate with IBM Cloud CLI + run: | + ibmcloud login --apikey "${IBM_CLOUD_API_KEY}" -r "${IBM_CLOUD_REGION}" -g default + ibmcloud cr region-set "${IBM_CLOUD_REGION}" + ibmcloud cr login + + # Build the Docker image + - name: Build with Docker + run: | + docker build -t "$REGISTRY_HOSTNAME"/"$ICR_NAMESPACE"/"$IMAGE_NAME":"$GITHUB_SHA" \ + --build-arg GITHUB_SHA="$GITHUB_SHA" \ + --build-arg GITHUB_REF="$GITHUB_REF" . + + # Push the image to IBM Container Registry + - name: Push the image to ICR + run: | + docker push $REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA + + # Deploy the Docker image to the IKS cluster + - name: Deploy to IKS + run: | + ibmcloud ks cluster config --cluster $IKS_CLUSTER + kubectl config current-context + kubectl create deployment $DEPLOYMENT_NAME --image=$REGISTRY_HOSTNAME/$ICR_NAMESPACE/$IMAGE_NAME:$GITHUB_SHA --dry-run -o yaml > deployment.yaml + kubectl apply -f deployment.yaml + kubectl rollout status deployment/$DEPLOYMENT_NAME + kubectl create service loadbalancer $DEPLOYMENT_NAME --tcp=80:$PORT --dry-run -o yaml > service.yaml + kubectl apply -f service.yaml + kubectl get services -o wide From 0a6a033ba98c4820d9c951fda31d72dbb6761fc6 Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:01:58 -0700 Subject: [PATCH 04/14] go.yml --- .github/workflows/go.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/go.yml diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml new file mode 100644 index 0000000..08d4d24 --- /dev/null +++ b/.github/workflows/go.yml @@ -0,0 +1,25 @@ +name: Go + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Set up Go + uses: actions/setup-go@v2 + with: + go-version: 1.17 + + - name: Build + run: go build -v ./... + + - name: Test + run: go test -v ./... From 361aa0f6c6357a4f2688018ec00cf5a5e6d22282 Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:02:15 -0700 Subject: [PATCH 05/14] openshift.yml --- .github/workflows/openshift.yml | 187 ++++++++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 .github/workflows/openshift.yml diff --git a/.github/workflows/openshift.yml b/.github/workflows/openshift.yml new file mode 100644 index 0000000..57e21d0 --- /dev/null +++ b/.github/workflows/openshift.yml @@ -0,0 +1,187 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# 💁 The OpenShift Starter workflow will: +# - Checkout your repository +# - Perform a container image build +# - Push the built image to the GitHub Container Registry (GHCR) +# - Log in to your OpenShift cluster +# - Create an OpenShift app from the image and expose it to the internet + +# ℹī¸ Configure your repository and the workflow with the following steps: +# 1. Have access to an OpenShift cluster. Refer to https://www.openshift.com/try +# 2. Create the OPENSHIFT_SERVER and OPENSHIFT_TOKEN repository secrets. Refer to: +# - https://github.com/redhat-actions/oc-login#readme +# - https://docs.github.com/en/actions/reference/encrypted-secrets +# - https://cli.github.com/manual/gh_secret_set +# 3. (Optional) Edit the top-level 'env' section as marked with '🖊ī¸' if the defaults are not suitable for your project. +# 4. (Optional) Edit the build-image step to build your project. +# The default build type is by using a Dockerfile at the root of the repository, +# but can be replaced with a different file, a source-to-image build, or a step-by-step buildah build. +# 5. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: OpenShift + +env: + # 🖊ī¸ EDIT your repository secrets to log into your OpenShift cluster and set up the context. + # See https://github.com/redhat-actions/oc-login#readme for how to retrieve these values. + # To get a permanent token, refer to https://github.com/redhat-actions/oc-login/wiki/Using-a-Service-Account-for-GitHub-Actions + OPENSHIFT_SERVER: ${{ secrets.OPENSHIFT_SERVER }} + OPENSHIFT_TOKEN: ${{ secrets.OPENSHIFT_TOKEN }} + # 🖊ī¸ EDIT to set the kube context's namespace after login. Leave blank to use your user's default namespace. + OPENSHIFT_NAMESPACE: "" + + # 🖊ī¸ EDIT to set a name for your OpenShift app, or a default one will be generated below. + APP_NAME: "" + + # 🖊ī¸ EDIT with the port your application should be accessible on. + # If the container image exposes *exactly one* port, this can be left blank. + # Refer to the 'port' input of https://github.com/redhat-actions/oc-new-app + APP_PORT: "" + + # 🖊ī¸ EDIT to change the image registry settings. + # Registries such as GHCR, Quay.io, and Docker Hub are supported. + IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} + IMAGE_REGISTRY_USER: ${{ github.actor }} + IMAGE_REGISTRY_PASSWORD: ${{ github.token }} + + # 🖊ī¸ EDIT to specify custom tags for the container image, or default tags will be generated below. + IMAGE_TAGS: "" + +on: + # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + push: + # Edit to the branch(es) you want to build and deploy on each push. + branches: [ master ] + +jobs: + openshift-ci-cd: + name: Build and deploy to OpenShift + # ubuntu-20.04 can also be used. + runs-on: ubuntu-18.04 + environment: production + + outputs: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + + steps: + - name: Check for required secrets + uses: actions/github-script@v4 + with: + script: | + const secrets = { + OPENSHIFT_SERVER: `${{ secrets.OPENSHIFT_SERVER }}`, + OPENSHIFT_TOKEN: `${{ secrets.OPENSHIFT_TOKEN }}`, + }; + + const GHCR = "ghcr.io"; + if (`${{ env.IMAGE_REGISTRY }}`.startsWith(GHCR)) { + core.info(`Image registry is ${GHCR} - no registry password required`); + } + else { + core.info("A registry password is required"); + secrets["IMAGE_REGISTRY_PASSWORD"] = `${{ secrets.IMAGE_REGISTRY_PASSWORD }}`; + } + + const missingSecrets = Object.entries(secrets).filter(([ name, value ]) => { + if (value.length === 0) { + core.error(`Secret "${name}" is not set`); + return true; + } + core.info(`✔ī¸ Secret "${name}" is set`); + return false; + }); + + if (missingSecrets.length > 0) { + core.setFailed(`❌ At least one required secret is not set in the repository. \n` + + "You can add it using:\n" + + "GitHub UI: https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository \n" + + "GitHub CLI: https://cli.github.com/manual/gh_secret_set \n" + + "Also, refer to https://github.com/redhat-actions/oc-login#getting-started-with-the-action-or-see-example"); + } + else { + core.info(`✅ All the required secrets are set`); + } + + - name: Check out repository + uses: actions/checkout@v2 + + - name: Determine app name + if: env.APP_NAME == '' + run: | + echo "APP_NAME=$(basename $PWD)" | tee -a $GITHUB_ENV + + - name: Determine image tags + if: env.IMAGE_TAGS == '' + run: | + echo "IMAGE_TAGS=latest ${GITHUB_SHA::12}" | tee -a $GITHUB_ENV + + # https://github.com/redhat-actions/buildah-build#readme + - name: Build from Dockerfile + id: build-image + uses: redhat-actions/buildah-build@v2 + with: + image: ${{ env.APP_NAME }} + tags: ${{ env.IMAGE_TAGS }} + + # If you don't have a Dockerfile/Containerfile, refer to https://github.com/redhat-actions/buildah-build#scratch-build-inputs + # Or, perform a source-to-image build using https://github.com/redhat-actions/s2i-build + # Otherwise, point this to your Dockerfile/Containerfile relative to the repository root. + dockerfiles: | + ./Dockerfile + + # https://github.com/redhat-actions/push-to-registry#readme + - name: Push to registry + id: push-image + uses: redhat-actions/push-to-registry@v2 + with: + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.IMAGE_REGISTRY_USER }} + password: ${{ env.IMAGE_REGISTRY_PASSWORD }} + + # The path the image was pushed to is now stored in ${{ steps.push-image.outputs.registry-path }} + + - name: Install oc + uses: redhat-actions/openshift-tools-installer@v1 + with: + oc: 4 + + # https://github.com/redhat-actions/oc-login#readme + - name: Log in to OpenShift + uses: redhat-actions/oc-login@v1 + with: + openshift_server_url: ${{ env.OPENSHIFT_SERVER }} + openshift_token: ${{ env.OPENSHIFT_TOKEN }} + insecure_skip_tls_verify: true + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + + # This step should create a deployment, service, and route to run your app and expose it to the internet. + # https://github.com/redhat-actions/oc-new-app#readme + - name: Create and expose app + id: deploy-and-expose + uses: redhat-actions/oc-new-app@v1 + with: + app_name: ${{ env.APP_NAME }} + image: ${{ steps.push-image.outputs.registry-path }} + namespace: ${{ env.OPENSHIFT_NAMESPACE }} + port: ${{ env.APP_PORT }} + + - name: Print application URL + env: + ROUTE: ${{ steps.deploy-and-expose.outputs.route }} + SELECTOR: ${{ steps.deploy-and-expose.outputs.selector }} + run: | + [[ -n ${{ env.ROUTE }} ]] || (echo "Determining application route failed in previous step"; exit 1) + echo + echo "======================== Your application is available at: ========================" + echo ${{ env.ROUTE }} + echo "===================================================================================" + echo + echo "Your app can be taken down with: \"oc delete all --selector='${{ env.SELECTOR }}'\"" From eff71f122c1b7c4f318e8a53c08a3b2acc5d0eae Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:03:58 -0700 Subject: [PATCH 06/14] android.yml --- .github/workflows/android.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/android.yml diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml new file mode 100644 index 0000000..53994f2 --- /dev/null +++ b/.github/workflows/android.yml @@ -0,0 +1,26 @@ +name: Android CI + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + - name: set up JDK 11 + uses: actions/setup-java@v2 + with: + java-version: '11' + distribution: 'adopt' + cache: gradle + + - name: Grant execute permission for gradlew + run: chmod +x gradlew + - name: Build with Gradle + run: ./gradlew build From da8329ad2fc7202d0e3aec0af539cbbf03012266 Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 24 Sep 2021 15:04:53 -0700 Subject: [PATCH 07/14] analysis.yml --- .github/workflows/devskim-analysis.yml | 34 ++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/devskim-analysis.yml diff --git a/.github/workflows/devskim-analysis.yml b/.github/workflows/devskim-analysis.yml new file mode 100644 index 0000000..698622e --- /dev/null +++ b/.github/workflows/devskim-analysis.yml @@ -0,0 +1,34 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: DevSkim + +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + schedule: + - cron: '21 19 * * 3' + +jobs: + lint: + name: DevSkim + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run DevSkim scanner + uses: microsoft/DevSkim-Action@v1 + + - name: Upload DevSkim scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: devskim-results.sarif From 06ca9ad8c05b735eda7a5ded9672b7a48fbe4267 Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 15 Oct 2021 01:09:24 -0700 Subject: [PATCH 08/14] shiftleft-analysis.yml --- .github/workflows/shiftleft-analysis.yml | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/shiftleft-analysis.yml diff --git a/.github/workflows/shiftleft-analysis.yml b/.github/workflows/shiftleft-analysis.yml new file mode 100644 index 0000000..9001702 --- /dev/null +++ b/.github/workflows/shiftleft-analysis.yml @@ -0,0 +1,42 @@ +# This workflow integrates Scan with GitHub's code scanning feature +# Scan is a free open-source security tool for modern DevOps teams from ShiftLeft +# Visit https://slscan.io/en/latest/integrations/code-scan for help +name: SL Scan + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '37 18 * * 6' + +jobs: + Scan-Build: + # Scan runs on ubuntu, mac and windows + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # Instructions + # 1. Setup JDK, Node.js, Python etc depending on your project type + # 2. Compile or build the project before invoking scan + # Example: mvn compile, or npm install or pip install goes here + # 3. Invoke Scan with the github token. Leave the workspace empty to use relative url + + - name: Perform Scan + uses: ShiftLeftSecurity/scan-action@master + env: + WORKSPACE: "" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + SCAN_AUTO_BUILD: true + with: + output: reports + # Scan auto-detects the languages in your project. To override uncomment the below variable and set the type + # type: credscan,java + # type: python + + - name: Upload report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: reports From be9ed6b49d35cd153f70418ec8b96fa62c24991b Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 15 Oct 2021 01:10:46 -0700 Subject: [PATCH 09/14] kubesec-analysis.yml --- .github/workflows/kubesec-analysis.yml | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/kubesec-analysis.yml diff --git a/.github/workflows/kubesec-analysis.yml b/.github/workflows/kubesec-analysis.yml new file mode 100644 index 0000000..d8499e7 --- /dev/null +++ b/.github/workflows/kubesec-analysis.yml @@ -0,0 +1,41 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Kubesec + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '16 20 * * 1' + +jobs: + lint: + name: Kubesec + runs-on: ubuntu-20.04 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Run kubesec scanner + uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 + with: + input: file.yaml # specify configuration file to scan here + format: template + template: template/sarif.tpl + output: kubesec-results.sarif + exit-code: "0" + + - name: Upload Kubesec scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: kubesec-results.sarif From 0c66aab6bade1697d66c6899244037e32784e79b Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 15 Oct 2021 01:11:20 -0700 Subject: [PATCH 10/14] snyk-infrastructure-analysis.yml --- .../snyk-infrastructure-analysis.yml | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/snyk-infrastructure-analysis.yml diff --git a/.github/workflows/snyk-infrastructure-analysis.yml b/.github/workflows/snyk-infrastructure-analysis.yml new file mode 100644 index 0000000..3c9ff51 --- /dev/null +++ b/.github/workflows/snyk-infrastructure-analysis.yml @@ -0,0 +1,42 @@ +# A sample workflow which checks out your Infrastructure as Code Configuration files, +# such as Kubernetes, Helm & Terraform and scans them for any security issues. +# The results are then uploaded to GitHub Security Code Scanning +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Infrastructure as Code + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '35 11 * * 1' + +jobs: + snyk: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Run Snyk to check configuration files for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the issues to GitHub Code Scanning + continue-on-error: true + uses: snyk/actions/iac@master + env: + # In order to use the Snyk Action you will need to have a Snyk API token. + # More details in https://github.com/snyk/actions#getting-your-snyk-token + # or you can signup for free at https://snyk.io/login + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + # Add the path to the configuration file that you would like to test. + # For example `deployment.yaml` for a Kubernetes deployment manifest + # or `main.tf` for a Terraform configuration file + file: your-file-to-test.yaml + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: snyk.sarif From fc9468c0cb1c5dcf6fda2b46f8716784605a454b Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 15 Oct 2021 01:11:38 -0700 Subject: [PATCH 11/14] codeql-analysis.yml --- .github/workflows/codeql-analysis.yml | 71 +++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..436ba41 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,71 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ master ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ master ] + schedule: + - cron: '24 23 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] + # Learn more: + # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 8672c89025c73738923bdf7e5c59277403aaddef Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 15 Oct 2021 01:12:57 -0700 Subject: [PATCH 12/14] python-package-conda.yml --- .github/workflows/python-package-conda.yml | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/python-package-conda.yml diff --git a/.github/workflows/python-package-conda.yml b/.github/workflows/python-package-conda.yml new file mode 100644 index 0000000..7bae7e2 --- /dev/null +++ b/.github/workflows/python-package-conda.yml @@ -0,0 +1,34 @@ +name: Python Package using Conda + +on: [push] + +jobs: + build-linux: + runs-on: ubuntu-latest + strategy: + max-parallel: 5 + + steps: + - uses: actions/checkout@v2 + - name: Set up Python 3.8 + uses: actions/setup-python@v2 + with: + python-version: 3.8 + - name: Add conda to system path + run: | + # $CONDA is an environment variable pointing to the root of the miniconda directory + echo $CONDA/bin >> $GITHUB_PATH + - name: Install dependencies + run: | + conda env update --file environment.yml --name base + - name: Lint with flake8 + run: | + conda install flake8 + # stop the build if there are Python syntax errors or undefined names + flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics + # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide + flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics + - name: Test with pytest + run: | + conda install pytest + pytest From 016b96afeb4da6d1ffb7dad238a8b88f03e1d69f Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Fri, 15 Oct 2021 14:36:19 -0700 Subject: [PATCH 13/14] android.yml 1 addition to latest-model and run permissions. --- .github/workflows/android.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/android.yml b/.github/workflows/android.yml index 53994f2..57ed474 100644 --- a/.github/workflows/android.yml +++ b/.github/workflows/android.yml @@ -17,10 +17,10 @@ jobs: uses: actions/setup-java@v2 with: java-version: '11' - distribution: 'adopt' + distribution: 'latest' cache: gradle - name: Grant execute permission for gradlew - run: chmod +x gradlew + run: chmod +xfz gradlew - name: Build with Gradle run: ./gradlew build From ccd75cbde2daebd6484ba08787e70c3b7eafaa8a Mon Sep 17 00:00:00 2001 From: Santiago De Jesus Villalobos-Gonzalez <71681815+LaudateCorpus1@users.noreply.github.com> Date: Thu, 25 Nov 2021 21:42:38 -0800 Subject: [PATCH 14/14] SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..034e848 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc.