From 60d4726a009558fd9edd75b169b1b246ceff9a4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 7 Feb 2024 06:33:48 +0000 Subject: [PATCH 01/31] Bump django from 5.0.1 to 5.0.2 in /PyOdbDesignServer Bumps [django](https://github.com/django/django) from 5.0.1 to 5.0.2. - [Commits](https://github.com/django/django/compare/5.0.1...5.0.2) --- updated-dependencies: - dependency-name: django dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- PyOdbDesignServer/requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/PyOdbDesignServer/requirements.txt b/PyOdbDesignServer/requirements.txt index ca9bc938..a1fd0426 100644 --- a/PyOdbDesignServer/requirements.txt +++ b/PyOdbDesignServer/requirements.txt @@ -8,9 +8,9 @@ asgiref==3.7.2 \ --hash=sha256:89b2ef2247e3b562a16eef663bc0e2e703ec6468e2fa8a5cd61cd449786d4f6e \ --hash=sha256:9e0ce3aa93a819ba5b45120216b23878cf6e8525eb3848653452b4192b92afed # via django -django==5.0.1 \ - --hash=sha256:8c8659665bc6e3a44fefe1ab0a291e5a3fb3979f9a8230be29de975e57e8f854 \ - --hash=sha256:f47a37a90b9bbe2c8ec360235192c7fddfdc832206fcf618bb849b39256affc1 +django==5.0.2 \ + --hash=sha256:56ab63a105e8bb06ee67381d7b65fe6774f057e41a8bab06c8020c8882d8ecd4 \ + --hash=sha256:b5bb1d11b2518a5f91372a282f24662f58f66749666b0a286ab057029f728080 # via # -r requirements.in # djangorestframework From 36a9a191b8f6f626bccf26f2b765866a6a60d64a Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 20:25:11 -0800 Subject: [PATCH 02/31] don't install aws cli since its apparently already installed --- .github/workflows/deploy-eks.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml index 9147498b..534d5119 100644 --- a/.github/workflows/deploy-eks.yml +++ b/.github/workflows/deploy-eks.yml @@ -36,10 +36,11 @@ jobs: - name: Install AWS CLI run: | - curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" - unzip awscliv2.zip - sudo ./aws/install aws --version + # curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" + # unzip awscliv2.zip + # sudo ./aws/install + # aws --version - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4.0.1 @@ -48,8 +49,9 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: ${{ env.AWS_REGION }} - - name: Configure kubectl via Secret Env - run: | + - name: Configure kubectl + run: | + aws --version echo ${{ secrets.KUBECONFIG }} > ${{ github.workspace }}/kubeconfig export KUBECONFIG=${{ github.workspace }}/kubeconfig echo $KUBECONFIG From 703f01288a26f3e8fe054ec8cdc5a58eb58ec43b Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 20:57:29 -0800 Subject: [PATCH 03/31] add environment url and use payload.ref_name for environment name --- .github/workflows/deploy-eks.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml index 534d5119..3bd94c1a 100644 --- a/.github/workflows/deploy-eks.yml +++ b/.github/workflows/deploy-eks.yml @@ -18,7 +18,9 @@ jobs: deploy: name: Deploy runs-on: ubuntu-22.04 - environment: production + environment: + name: ${{ github.event.client_payload.ref_name }} + url: http://default-ingress-1165108808.us-west-2.elb.amazonaws.com/swagger steps: From c70ef07935c71ee4b9b1fa17dd64a0b28ac44d20 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 20:58:35 -0800 Subject: [PATCH 04/31] ass SBOM generation and submission workflow --- .github/workflows/sbom-generate-submit.yml | 30 ++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/sbom-generate-submit.yml diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml new file mode 100644 index 00000000..759183b0 --- /dev/null +++ b/.github/workflows/sbom-generate-submit.yml @@ -0,0 +1,30 @@ +name: SBOM Generate and Submit + +on: + push: + branches: [ "release" ] + workflow_dispatch: + +permissions: + contents: read + +jobs: + build: + runs-on: ubuntu-22.04 + permissions: read-all + + steps: + - name: Checkout Code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: SBOM Generate + uses: advanced-security/sbom-generator-action@v0.0.1 + id: sbom-generate + env: + GITHUB_TOKEN: ${{ github.token }} + + - name: SBOM Upload + uses: advanced-security/spdx-dependency-submission-action@v0.0.1 + with: + filePath: ${{steps.sbom-generate.outputs.fileName }} + \ No newline at end of file From 6c098151f727e9605a4bf5ca2b920912bb219ab3 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 20:59:00 -0800 Subject: [PATCH 05/31] change payload.ref to ref_name --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index b1be7868..81406da4 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -110,4 +110,4 @@ jobs: with: repository: ${{ github.repository }} event-type: trigger_deploy_release_event - client-payload: '{"ref": "${{ github.ref_name }}", "dispatch_id": "${{ secrets.DISPATCH_ID }}"}' + client-payload: '{"ref_name": "${{ github.ref_name }}", "dispatch_id": "${{ secrets.DISPATCH_ID }}"}' From 6d961b917cdb00864747f39e3c80e1b0279d8758 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 20:59:53 -0800 Subject: [PATCH 06/31] add dependency submission job to dependency review workflow --- .github/workflows/dependency-review.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 50f55be6..63ae082c 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -15,8 +15,20 @@ permissions: contents: read jobs: + + dependency-submission: + runs-on: ubuntu-22.04 + permissions: + id-token: write + contents: write + + steps: + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Component detection + uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 + dependency-review: - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 permissions: contents: write pull-requests: write @@ -24,6 +36,7 @@ jobs: steps: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: 'Dependency Review' uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 with: From e9c331b09da05bf2e2ca0ccdb3ea80e7633d4695 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:00:38 -0800 Subject: [PATCH 07/31] run sbom workflow on development branch pushes --- .github/workflows/sbom-generate-submit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml index 759183b0..240f752e 100644 --- a/.github/workflows/sbom-generate-submit.yml +++ b/.github/workflows/sbom-generate-submit.yml @@ -2,7 +2,7 @@ name: SBOM Generate and Submit on: push: - branches: [ "release" ] + branches: [ "development", "release" ] workflow_dispatch: permissions: From dd7a421cfc4249a21e11d32660297ecf88ebeb37 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:04:55 -0800 Subject: [PATCH 08/31] simplify dependency review workflow --- .github/workflows/dependency-review.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 63ae082c..3c58ad21 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,17 +16,6 @@ permissions: jobs: - dependency-submission: - runs-on: ubuntu-22.04 - permissions: - id-token: write - contents: write - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Component detection - uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 - dependency-review: runs-on: ubuntu-22.04 permissions: @@ -37,6 +26,9 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Component detection + uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 + - name: 'Dependency Review' uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 with: From c0f988ccc943590e4888a6359b2cf68000567f47 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:26:28 -0800 Subject: [PATCH 09/31] Create jekyll-gh-pages.yml --- .github/workflows/jekyll-gh-pages.yml | 54 +++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/jekyll-gh-pages.yml diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml new file mode 100644 index 00000000..dfcc4878 --- /dev/null +++ b/.github/workflows/jekyll-gh-pages.yml @@ -0,0 +1,54 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: ["release"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup Pages + uses: actions/configure-pages@v4 + + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./docs + destination: ./_site + + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From edcbb6bc2effbf6afcfee8632c267bd31e448234 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:43:42 -0800 Subject: [PATCH 10/31] add write permissions for SBOM upload workflow --- .github/workflows/sbom-generate-submit.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml index 240f752e..a89ece22 100644 --- a/.github/workflows/sbom-generate-submit.yml +++ b/.github/workflows/sbom-generate-submit.yml @@ -2,7 +2,7 @@ name: SBOM Generate and Submit on: push: - branches: [ "development", "release" ] + branches: [ "main", "release", "development", "nam20485" ] workflow_dispatch: permissions: @@ -11,7 +11,9 @@ permissions: jobs: build: runs-on: ubuntu-22.04 - permissions: read-all + permissions: + id-token: write + contents: write steps: - name: Checkout Code @@ -26,5 +28,5 @@ jobs: - name: SBOM Upload uses: advanced-security/spdx-dependency-submission-action@v0.0.1 with: - filePath: ${{steps.sbom-generate.outputs.fileName }} + filePath: ${{ steps.sbom-generate.outputs.fileName }} \ No newline at end of file From ccdca91eb2655763de5a97575a794ef69f09488d Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:48:52 -0800 Subject: [PATCH 11/31] make OdbDesignTestData repo public and use default token to access --- .github/workflows/cmake-multi-platform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index ea553934..24c34d67 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -148,7 +148,7 @@ jobs: repository: 'nam20485/OdbDesignTestData' path: 'OdbDesignTestData' ref: 'main' - token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }} + #token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }} - name : Export ODB_TEST_DATA_DIR uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 From 685f32e8f94f68ef38cd5173d322e57748fc67b8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 12 Feb 2024 06:23:09 +0000 Subject: [PATCH 12/31] Bump actions/upload-artifact from 4.2.0 to 4.3.1 Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.2.0 to 4.3.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/694cdabd8bdb0f10b2cea11669e1bf5453eed0a6...5d5d22a31266ced268874388b861e4b58bb5c2f3) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cmake-multi-platform.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index 24c34d67..f40ee25d 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -207,7 +207,7 @@ jobs: Compress-Archive -Path "${{env.ARTIFACTS_DIR_WIN}}\*.dll","${{env.ARTIFACTS_DIR_WIN}}\*.exe" -DestinationPath "${{env.ARTIFACTS_DIR_WIN}}\artifacts-${{matrix.os}}.zip" -Verbose -Force - name: Upload Artifacts - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ matrix.os }}-artifacts path: ${{ env.ARTIFACTS_DIR }}/artifacts-${{matrix.os}}.zip diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a3811e0c..2857989c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -61,7 +61,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: SARIF file path: results.sarif From 7afd90d764862e3a5b8b95166a2adc405cbf1534 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Feb 2024 06:32:10 +0000 Subject: [PATCH 13/31] Bump debian from bookworm-20240110-slim to bookworm-20240211-slim Bumps debian from bookworm-20240110-slim to bookworm-20240211-slim. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] --- Dockerfile | 4 ++-- Dockerfile (exe) | 4 ++-- Dockerfile_PyOdbDesignServer | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3515d544..c74844b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bookworm-20240110@sha256:b16cef8cbcb20935c0f052e37fc3d38dc92bfec0bcfb894c328547f81e932d67 AS build +FROM debian:bookworm-20240211@sha256:4482958b4461ff7d9fabc24b3a9ab1e9a2c85ece07b2db1840c7cbc01d053e90 AS build ARG OWNER=nam20485 ARG GITHUB_TOKEN="PASSWORD" @@ -66,7 +66,7 @@ RUN cmake --build --preset linux-release # RUN cmake --build --preset linux-debug # much smaller runtime image -FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS run +FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS run LABEL org.opencontainers.image.source=https://github.com/nam20485/OdbDesign LABEL org.opencontainers.image.authors=https://github.com/nam20485 LABEL org.opencontainers.image.description="The OdbDesign Docker image runs the OdbDesignServer REST API server executable, listening on port 8888." diff --git a/Dockerfile (exe) b/Dockerfile (exe) index 2f1a1960..e78026c7 100644 --- a/Dockerfile (exe) +++ b/Dockerfile (exe) @@ -1,4 +1,4 @@ -FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS build +FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS build # install dependencies RUN apt-get update && \ @@ -52,7 +52,7 @@ RUN cp /src/OdbDesign/out/build/linux-release/OdbDesignLib/libOdbDesign.so ./_Py #RUN python3 -m build # much smaller runtime image -FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS run +FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS run RUN mkdir /OdbDesign WORKDIR /OdbDesign diff --git a/Dockerfile_PyOdbDesignServer b/Dockerfile_PyOdbDesignServer index f6ba739c..55c6dff8 100644 --- a/Dockerfile_PyOdbDesignServer +++ b/Dockerfile_PyOdbDesignServer @@ -1,4 +1,4 @@ -FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS build +FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS build # install dependencies RUN apt-get update && \ @@ -44,7 +44,7 @@ RUN cmake --build --preset python-linux-release # much smaller runtime image #FROM python:3.11.4-bullseye AS run -FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 as run +FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc as run # copy PyOdbDesignServer files COPY --from=build /src/OdbDesign/PyOdbDesignServer PyOdbDesignServer From 9efc5116515729dc9904f119fc14e369db3a4419 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Tue, 13 Feb 2024 11:22:09 -0800 Subject: [PATCH 14/31] allow manual start for scorecard workflow --- .github/workflows/scorecard.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index a3811e0c..d25ad0c7 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,6 +15,7 @@ on: # branches: [ "development" ] pull_request: branches: [ "development" ] + workflow_dispatch: # Declare default permissions as read only. permissions: read-all From 4129d7c103b133c7b33a699f538f036278fcccd9 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Tue, 13 Feb 2024 11:22:35 -0800 Subject: [PATCH 15/31] add name for SBOM workflow --- .github/workflows/sbom-generate-submit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml index a89ece22..1d841f48 100644 --- a/.github/workflows/sbom-generate-submit.yml +++ b/.github/workflows/sbom-generate-submit.yml @@ -10,6 +10,7 @@ permissions: jobs: build: + name: Generate-Submit-SBOM runs-on: ubuntu-22.04 permissions: id-token: write From 8c976fa06882c19c450d2836c9b5861bc08bb352 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 01:00:09 +0000 Subject: [PATCH 16/31] Bump github/codeql-action from 3.23.1 to 3.24.1 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.1 to 3.24.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/0b21cf2492b6b02c465a3e5d7c473717ad7721ba...e675ced7a7522a761fc9c8eb26682c8b27c42b2b) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/docker-scout-scan.yml | 2 +- .github/workflows/scorecard.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index fe603425..e168c41b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -47,7 +47,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/init@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 with: languages: ${{ matrix.language }} config-file: ${{ github.workspace }}/.github/codeql-config.yml @@ -78,6 +78,6 @@ jobs: run: cmake --build --preset linux-release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/analyze@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml index 06c9fa79..f00d5bbf 100644 --- a/.github/workflows/docker-scout-scan.yml +++ b/.github/workflows/docker-scout-scan.yml @@ -138,7 +138,7 @@ jobs: - name: Upload SARIF result id: upload-sarif - uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 with: sarif_file: sarif.output.json diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 2857989c..61a3ddd3 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -69,6 +69,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1 + uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1 with: sarif_file: results.sarif From 3fa9219d14398f107b7a00529ea36a71f8a1c633 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 02:01:52 +0000 Subject: [PATCH 17/31] Bump ammaraskar/gcc-problem-matcher from 0.2.0 to 0.3.0 Bumps [ammaraskar/gcc-problem-matcher](https://github.com/ammaraskar/gcc-problem-matcher) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/ammaraskar/gcc-problem-matcher/releases) - [Commits](https://github.com/ammaraskar/gcc-problem-matcher/compare/d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7...0f9c86f9e693db67dacf53986e1674de5f2e5f28) --- updated-dependencies: - dependency-name: ammaraskar/gcc-problem-matcher dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cmake-multi-platform.yml | 2 +- .github/workflows/docker-publish.yml | 2 +- .github/workflows/docker-scout-scan.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index f40ee25d..07921cfc 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -59,7 +59,7 @@ jobs: uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master if: matrix.os == 'windows-2022' - name: Add Problem Matchers - uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master + uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master if: matrix.os != 'windows-2022' - name: Install vcpkg Dependencies diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 81406da4..313612b4 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -41,7 +41,7 @@ jobs: # add problem matchers - name: Add Problem Matchers - uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master + uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master # Install the cosign tool except on PR # https://github.com/sigstore/cosign-installer diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml index f00d5bbf..c9608cc5 100644 --- a/.github/workflows/docker-scout-scan.yml +++ b/.github/workflows/docker-scout-scan.yml @@ -47,7 +47,7 @@ jobs: # add problem matchers - name: Add Problem Matchers - uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master + uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master # # Install the cosign tool except on PR # # https://github.com/sigstore/cosign-installer From fdbcb1334beac0f72ea88a0bc8e61fa0786c11ee Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 02:17:44 +0000 Subject: [PATCH 18/31] Bump ammaraskar/msvc-problem-matcher from 0.2.0 to 0.3.0 Bumps [ammaraskar/msvc-problem-matcher](https://github.com/ammaraskar/msvc-problem-matcher) from 0.2.0 to 0.3.0. - [Release notes](https://github.com/ammaraskar/msvc-problem-matcher/releases) - [Commits](https://github.com/ammaraskar/msvc-problem-matcher/compare/13149ebc00eaa00eadcd81b204d7159cca5de4fd...1ebcb382869bfdc2cc645e8a2a43b6d319ea1cc0) --- updated-dependencies: - dependency-name: ammaraskar/msvc-problem-matcher dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cmake-multi-platform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index 07921cfc..addb806a 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -56,7 +56,7 @@ jobs: # add problem matchers by compiler - name: Add Problem Matchers - uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master + uses: ammaraskar/msvc-problem-matcher@1ebcb382869bfdc2cc645e8a2a43b6d319ea1cc0 # master if: matrix.os == 'windows-2022' - name: Add Problem Matchers uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master From ffedc4bd06ac910bc630cc862f914b0e0e3d675d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 02:33:45 +0000 Subject: [PATCH 19/31] Bump dorny/test-reporter from 1.7.0 to 1.8.0 Bumps [dorny/test-reporter](https://github.com/dorny/test-reporter) from 1.7.0 to 1.8.0. - [Release notes](https://github.com/dorny/test-reporter/releases) - [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md) - [Commits](https://github.com/dorny/test-reporter/compare/v1.7.0...v1.8.0) --- updated-dependencies: - dependency-name: dorny/test-reporter dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/cmake-multi-platform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index addb806a..5703006e 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -165,7 +165,7 @@ jobs: # report test results - name: Report Test Results - uses: dorny/test-reporter@v1.7.0 + uses: dorny/test-reporter@v1.8.0 if: steps.cmake-test.outcome == 'success' || steps.cmake-test.outcome == 'failure' with: name: ${{ matrix.os }}_test-results From fbb432497a734c54fd4f1f691df71a5a37577d91 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 06:17:59 +0000 Subject: [PATCH 20/31] Bump aws-actions/configure-aws-credentials from 4.0.1 to 4.0.2 Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4.0.1 to 4.0.2. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v4.0.1...v4.0.2) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/deploy-eks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml index 3bd94c1a..254b80d2 100644 --- a/.github/workflows/deploy-eks.yml +++ b/.github/workflows/deploy-eks.yml @@ -45,7 +45,7 @@ jobs: # aws --version - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4.0.1 + uses: aws-actions/configure-aws-credentials@v4.0.2 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} From b7917963dbeaa17e114fe16e915ef6b0c3eb4149 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 18:21:36 +0000 Subject: [PATCH 21/31] Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.3.0 to 3.4.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/9614fae9e5c5eddabb09f90a270fcb487c9f7149...e1523de7571e31dbe865fd2e80c5c7c23ae71eb4) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/docker-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 313612b4..e8f92627 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -47,7 +47,7 @@ jobs: # https://github.com/sigstore/cosign-installer - name: cosign-installer if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 + uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx From dc7ffbdce878561bfba739e26137373db0b47f0f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 18:38:32 +0000 Subject: [PATCH 22/31] Bump docker/metadata-action from 5.5.0 to 5.5.1 Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.5.0 to 5.5.1. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](https://github.com/docker/metadata-action/compare/dbef88086f6cef02e264edb7dbf63250c17cef6c...8e5442c4ef9f78752691e2d8f8d19755c6f78e81) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/docker-publish.yml | 2 +- .github/workflows/docker-scout-scan.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index e8f92627..046d7e9d 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -67,7 +67,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml index c9608cc5..83733674 100644 --- a/.github/workflows/docker-scout-scan.yml +++ b/.github/workflows/docker-scout-scan.yml @@ -83,7 +83,7 @@ jobs: # https://github.com/docker/metadata-action - name: Extract Docker metadata id: meta - uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 with: images: ${{ env.IMAGE_NAME }} tags: | From acfeee43dedd1b6fd1cf0ade00403dcadfb5d3d5 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Wed, 14 Feb 2024 10:51:41 -0800 Subject: [PATCH 23/31] add concurrency group to deploy-eks workflow so that only one in-progress run is allowed at a time --- .github/workflows/deploy-eks.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml index 3bd94c1a..5ce60f42 100644 --- a/.github/workflows/deploy-eks.yml +++ b/.github/workflows/deploy-eks.yml @@ -8,8 +8,14 @@ on: repository_dispatch: types: [ "trigger_deploy_release_event" ] +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: false + env: - AWS_REGION: us-west-2 # set this to your preferred AWS region, e.g. us-west-1 + AWS_REGION: us-west-2 permissions: contents: read From 3f9034a91bdd956d22baf4c55cdae7afe3cbb023 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 19:01:32 +0000 Subject: [PATCH 24/31] Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/deploy-eks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml index 254b80d2..550b8342 100644 --- a/.github/workflows/deploy-eks.yml +++ b/.github/workflows/deploy-eks.yml @@ -34,7 +34,7 @@ jobs: fi - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Install AWS CLI run: | From 5ddc5932a6118219243963a8897ff4e5af192685 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 14 Feb 2024 19:17:48 +0000 Subject: [PATCH 25/31] Bump docker/scout-action from 1.3.0 to 1.4.1 Bumps [docker/scout-action](https://github.com/docker/scout-action) from 1.3.0 to 1.4.1. - [Release notes](https://github.com/docker/scout-action/releases) - [Commits](https://github.com/docker/scout-action/compare/42a6acc319ac229f86e12bfca3b83de09fb058be...4a5494eb7c2b3d712b805ee65ad57a0371d50874) --- updated-dependencies: - dependency-name: docker/scout-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/docker-scout-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml index 83733674..45fab314 100644 --- a/.github/workflows/docker-scout-scan.yml +++ b/.github/workflows/docker-scout-scan.yml @@ -128,7 +128,7 @@ jobs: - name: Analyze for critical and high CVEs id: docker-scout-cves # if: ${{ github.event_name != 'pull_request_target' }} - uses: docker/scout-action@42a6acc319ac229f86e12bfca3b83de09fb058be # v1.3.0 + uses: docker/scout-action@4a5494eb7c2b3d712b805ee65ad57a0371d50874 # v1.4.1 with: command: cves,recommendations image: ${{ steps.meta.outputs.tags }} @@ -145,7 +145,7 @@ jobs: - name: Docker Scout Compare to Latest id: docker-scout if: ${{ github.event_name == 'pull_request' }} - uses: docker/scout-action@42a6acc319ac229f86e12bfca3b83de09fb058be # v1.3.0 + uses: docker/scout-action@4a5494eb7c2b3d712b805ee65ad57a0371d50874 # v1.4.1 with: command: compare image: ${{ steps.meta.outputs.tags }} From 29be2331ac365df6f3da9995c4c2d6ab07b0a0eb Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Wed, 14 Feb 2024 20:27:17 +0000 Subject: [PATCH 26/31] [StepSecurity] ci: Harden GitHub Actions Signed-off-by: StepSecurity Bot --- .github/workflows/cmake-multi-platform.yml | 7 ++++++- .github/workflows/codeql.yml | 5 +++++ .github/workflows/create-release.yml | 7 ++++++- .github/workflows/dependency-review.yml | 7 ++++++- .github/workflows/deploy-eks.yml | 9 +++++++-- .github/workflows/docker-publish.yml | 7 ++++++- .github/workflows/docker-scout-scan.yml | 5 +++++ .github/workflows/jekyll-gh-pages.yml | 20 +++++++++++++++----- .github/workflows/sbom-generate-submit.yml | 9 +++++++-- .github/workflows/scorecard.yml | 5 +++++ 10 files changed, 68 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index 5703006e..287ba34b 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -51,6 +51,11 @@ jobs: steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -165,7 +170,7 @@ jobs: # report test results - name: Report Test Results - uses: dorny/test-reporter@v1.8.0 + uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0 if: steps.cmake-test.outcome == 'success' || steps.cmake-test.outcome == 'failure' with: name: ${{ matrix.os }}_test-results diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e168c41b..61185f57 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -42,6 +42,11 @@ jobs: # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 5e051ad6..37ba240a 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -29,6 +29,11 @@ jobs: steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check Dispatch ID run: | if [[ "${{ github.event.client_payload.dispatch_id }}" == "${{ secrets.DISPATCH_ID }}" ]]; then @@ -42,7 +47,7 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download Artifacts - uses: dawidd6/action-download-artifact@v3.0.0 + uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0 with: workflow: cmake-multi-platform.yml workflow_conclusion: success diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3c58ad21..64391d01 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -23,11 +23,16 @@ jobs: pull-requests: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Component detection - uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 + uses: advanced-security/component-detection-dependency-submission-action@5a8ce4ad8c6fbb9b88f66f672014e44b427d7d54 # v0.0.2 - name: 'Dependency Review' uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml index 932da2ba..86ffba11 100644 --- a/.github/workflows/deploy-eks.yml +++ b/.github/workflows/deploy-eks.yml @@ -30,6 +30,11 @@ jobs: steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Check Dispatch ID run: | if [[ "${{ github.event.client_payload.dispatch_id }}" == "${{ secrets.DISPATCH_ID }}" ]]; then @@ -40,7 +45,7 @@ jobs: fi - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install AWS CLI run: | @@ -51,7 +56,7 @@ jobs: # aws --version - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4.0.2 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 046d7e9d..4067538d 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -36,6 +36,11 @@ jobs: id-token: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -106,7 +111,7 @@ jobs: - name: Trigger Deploy and Release Workflows if: github.ref_name == 'release' && github.event_name == 'push' - uses: peter-evans/repository-dispatch@v3.0.0 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 with: repository: ${{ github.repository }} event-type: trigger_deploy_release_event diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml index 45fab314..a4c0c122 100644 --- a/.github/workflows/docker-scout-scan.yml +++ b/.github/workflows/docker-scout-scan.yml @@ -42,6 +42,11 @@ jobs: if: github.event_name != 'pull_request' || github.base_ref != 'development' || github.head_ref == 'nam20485' steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index dfcc4878..e9c34da5 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -26,20 +26,25 @@ jobs: build: runs-on: ubuntu-22.04 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 - name: Build with Jekyll - uses: actions/jekyll-build-pages@v1 + uses: actions/jekyll-build-pages@3ef60073fe85b3ccba7e900c2ebf9d7542dc7a8f # v1.0.11 with: source: ./docs destination: ./_site - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 # Deployment job deploy: @@ -49,6 +54,11 @@ jobs: runs-on: ubuntu-latest needs: build steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4 diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml index 1d841f48..54d416e0 100644 --- a/.github/workflows/sbom-generate-submit.yml +++ b/.github/workflows/sbom-generate-submit.yml @@ -17,17 +17,22 @@ jobs: contents: write steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout Code uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: SBOM Generate - uses: advanced-security/sbom-generator-action@v0.0.1 + uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1 id: sbom-generate env: GITHUB_TOKEN: ${{ github.token }} - name: SBOM Upload - uses: advanced-security/spdx-dependency-submission-action@v0.0.1 + uses: advanced-security/spdx-dependency-submission-action@dc069b56ba31ce546dc419b549aceb808c632d9a # v0.0.1 with: filePath: ${{ steps.sbom-generate.outputs.fileName }} \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 13ae49d5..f2ced069 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -34,6 +34,11 @@ jobs: # actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: "Checkout code" uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: From e50bee67e3ddf3d5ac2e3abc4785eb970f7e70fc Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Wed, 14 Feb 2024 12:40:29 -0800 Subject: [PATCH 27/31] add id-token: write permission to dependency-review workflow for component-detection step --- .github/workflows/dependency-review.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 3c58ad21..2a6ce5c3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -18,7 +18,8 @@ jobs: dependency-review: runs-on: ubuntu-22.04 - permissions: + permissions: + id-token: write contents: write pull-requests: write From ce6925bcac738a9e190e44738daae5f673dcdece Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Wed, 14 Feb 2024 17:02:47 -0800 Subject: [PATCH 28/31] provide require hashes argument to pip install --- Dockerfile_PyOdbDesignServer | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile_PyOdbDesignServer b/Dockerfile_PyOdbDesignServer index 55c6dff8..8a91bf18 100644 --- a/Dockerfile_PyOdbDesignServer +++ b/Dockerfile_PyOdbDesignServer @@ -60,7 +60,7 @@ RUN apt-get update && \ python3-pip WORKDIR /PyOdbDesignServer -RUN python3 -m pip install -r requirements.txt --break-system-packages +RUN python3 -m pip install -r requirements.txt --break-system-packages --require-hashes # run WORKDIR /PyOdbDesignServer From 8a94814b3652091328cf21fc38bb0a244835db63 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Wed, 14 Feb 2024 17:08:22 -0800 Subject: [PATCH 29/31] add upload SBOM workflow status badge to README --- docs/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/README.md b/docs/README.md index edaf2d72..b3dd382e 100644 --- a/docs/README.md +++ b/docs/README.md @@ -68,6 +68,7 @@ The diagram describes the current state of parser implementation and data availa | Security Code Scan | [![CodeQL Security Scan](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml) | | Docker Security Scan | [![Docker Scout Scan](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml) | | Dependency Review Scan | [![Dependency Review](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml) | +| Upload SBOM | [![SBOM Generate and Submit](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml) | #### `main` @@ -78,6 +79,7 @@ The diagram describes the current state of parser implementation and data availa | Security Code Scan | [![CodeQL Security Scan](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml) | | Docker Security Scan | [![Docker Scout Scan](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml/badge.svg?branch=main)](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml) | | Dependency Review Scan | [![Dependency Review](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml/badge.svg?branch=main)](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml) | +| Upload SBOM | [![SBOM Generate and Submit](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml/badge.svg?branch=main)](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml) | #### `release` @@ -88,6 +90,7 @@ The diagram describes the current state of parser implementation and data availa | Security Code Scan | [![CodeQL Security Scan](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml) | | Docker Security Scan | [![Docker Scout Scan](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml/badge.svg?branch=release)](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml) | | Dependency Review Scan | [![Dependency Review](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml/badge.svg?branch=release)](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml) | +| Upload SBOM | [![SBOM Generate and Submit](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml/badge.svg?branch=release)](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml) | ### Architecture From 57f229488b10477d987f8deebb455c01b6a2c310 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Wed, 14 Feb 2024 17:32:53 -0800 Subject: [PATCH 30/31] change dependabot update scan to weekly --- .github/dependabot.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index fe0c15a2..9215c651 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,14 +3,14 @@ updates: - package-ecosystem: github-actions directory: / schedule: - interval: daily + interval: weekly - package-ecosystem: pip directory: /PyOdbDesignServer schedule: - interval: daily + interval: weekly - package-ecosystem: docker directory: / schedule: - interval: daily + interval: weekly From 82cf7f03556f8f7a4850bf2462968de75de5ad8e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 15 Feb 2024 01:57:49 +0000 Subject: [PATCH 31/31] Bump actions/dependency-review-action from 4.0.0 to 4.1.0 Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.0.0 to 4.1.0. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](https://github.com/actions/dependency-review-action/compare/4901385134134e04cec5fbe5ddfe3b2c5bd5d976...80f10bf419f34980065523f5efca7ebed17576aa) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/dependency-review.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 86f10a1e..5aa06663 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -36,6 +36,6 @@ jobs: uses: advanced-security/component-detection-dependency-submission-action@5a8ce4ad8c6fbb9b88f66f672014e44b427d7d54 # v0.0.2 - name: 'Dependency Review' - uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 + uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa # v4.1.0 with: comment-summary-in-pr: true