Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

merge to main #217

Merged
merged 61 commits into from
Feb 15, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
60d4726
Bump django from 5.0.1 to 5.0.2 in /PyOdbDesignServer
dependabot[bot] Feb 7, 2024
36a9a19
don't install aws cli since its apparently already installed
nam20485 Feb 12, 2024
fdd09bf
don't install aws cli since its apparently already installed (#200)
nam20485 Feb 12, 2024
703f012
add environment url and use payload.ref_name for environment name
nam20485 Feb 12, 2024
c70ef07
ass SBOM generation and submission workflow
nam20485 Feb 12, 2024
6c09815
change payload.ref to ref_name
nam20485 Feb 12, 2024
6d961b9
add dependency submission job to dependency review workflow
nam20485 Feb 12, 2024
e9c331b
run sbom workflow on development branch pushes
nam20485 Feb 12, 2024
dd7a421
simplify dependency review workflow
nam20485 Feb 12, 2024
c0f988c
Create jekyll-gh-pages.yml
nam20485 Feb 12, 2024
bcc3169
merge to development (#201)
nam20485 Feb 12, 2024
edcbb6b
add write permissions for SBOM upload workflow
nam20485 Feb 12, 2024
ccdca91
make OdbDesignTestData repo public and use default token to access
nam20485 Feb 12, 2024
dc52d8b
merge to development (#203)
nam20485 Feb 12, 2024
685f32e
Bump actions/upload-artifact from 4.2.0 to 4.3.1
dependabot[bot] Feb 12, 2024
7afd90d
Bump debian from bookworm-20240110-slim to bookworm-20240211-slim
dependabot[bot] Feb 13, 2024
dcd32d8
Merge branch 'development' into custom-pages-workflow
nam20485 Feb 13, 2024
9efc511
allow manual start for scorecard workflow
nam20485 Feb 13, 2024
4129d7c
add name for SBOM workflow
nam20485 Feb 13, 2024
e28d1f6
Merge branch 'development' into dependabot/pip/PyOdbDesignServer/djan…
nam20485 Feb 13, 2024
359c296
Bump django from 5.0.1 to 5.0.2 in /PyOdbDesignServer (#190)
nam20485 Feb 13, 2024
0efd755
Merge branch 'development' into custom-pages-workflow
nam20485 Feb 13, 2024
89adc3d
Create jekyll-gh-pages.yml (#202)
nam20485 Feb 13, 2024
9e162f4
Merge branch 'development' into nam20485
nam20485 Feb 13, 2024
d2ed4e9
Merge branch 'development' into dependabot/docker/debian-bookworm-202…
nam20485 Feb 13, 2024
827ec57
Bump debian from bookworm-20240110-slim to bookworm-20240211-slim (#205)
nam20485 Feb 13, 2024
cbba80d
Merge branch 'development' into dependabot/github_actions/actions/upl…
nam20485 Feb 14, 2024
fb82fb5
Bump actions/upload-artifact from 4.2.0 to 4.3.1 (#187)
nam20485 Feb 14, 2024
8c976fa
Bump github/codeql-action from 3.23.1 to 3.24.1
dependabot[bot] Feb 14, 2024
90dfbe3
Bump github/codeql-action from 3.23.1 to 3.24.1 (#206)
nam20485 Feb 14, 2024
3fa9219
Bump ammaraskar/gcc-problem-matcher from 0.2.0 to 0.3.0
dependabot[bot] Feb 14, 2024
eaae04e
Bump ammaraskar/gcc-problem-matcher from 0.2.0 to 0.3.0 (#167)
nam20485 Feb 14, 2024
fdbcb13
Bump ammaraskar/msvc-problem-matcher from 0.2.0 to 0.3.0
dependabot[bot] Feb 14, 2024
fb22be9
Bump ammaraskar/msvc-problem-matcher from 0.2.0 to 0.3.0 (#168)
nam20485 Feb 14, 2024
ffedc4b
Bump dorny/test-reporter from 1.7.0 to 1.8.0
dependabot[bot] Feb 14, 2024
a804ba1
Bump dorny/test-reporter from 1.7.0 to 1.8.0 (#175)
nam20485 Feb 14, 2024
fbb4324
Bump aws-actions/configure-aws-credentials from 4.0.1 to 4.0.2
dependabot[bot] Feb 14, 2024
5dd501c
Bump aws-actions/configure-aws-credentials from 4.0.1 to 4.0.2 (#207)
nam20485 Feb 14, 2024
b791796
Bump sigstore/cosign-installer from 3.3.0 to 3.4.0
dependabot[bot] Feb 14, 2024
2dd7482
Bump sigstore/cosign-installer from 3.3.0 to 3.4.0 (#209)
nam20485 Feb 14, 2024
dc7ffbd
Bump docker/metadata-action from 5.5.0 to 5.5.1
dependabot[bot] Feb 14, 2024
acfeee4
add concurrency group to deploy-eks workflow so that only one in-prog…
nam20485 Feb 14, 2024
a205aa4
Merge branch 'development' into nam20485
nam20485 Feb 14, 2024
e540923
Bump docker/metadata-action from 5.5.0 to 5.5.1 (#211)
nam20485 Feb 14, 2024
3f9034a
Bump actions/checkout from 3 to 4
dependabot[bot] Feb 14, 2024
3d20034
Bump actions/checkout from 3 to 4 (#208)
nam20485 Feb 14, 2024
5ddc593
Bump docker/scout-action from 1.3.0 to 1.4.1
dependabot[bot] Feb 14, 2024
b5bef55
Bump docker/scout-action from 1.3.0 to 1.4.1 (#210)
nam20485 Feb 14, 2024
fc2ecb2
Merge branch 'development' into nam20485
nam20485 Feb 14, 2024
43a519b
merge to development (#212)
nam20485 Feb 14, 2024
29be233
[StepSecurity] ci: Harden GitHub Actions
step-security-bot Feb 14, 2024
e50bee6
add id-token: write permission to dependency-review workflow for comp…
nam20485 Feb 14, 2024
1a59ed8
[StepSecurity] ci: Harden GitHub Actions (#213)
nam20485 Feb 14, 2024
d787df4
Merge branch 'development' into nam20485
nam20485 Feb 14, 2024
623378c
add id-token: write permission to dependency-review workflow for comp…
nam20485 Feb 14, 2024
ce6925b
provide require hashes argument to pip install
nam20485 Feb 15, 2024
8a94814
add upload SBOM workflow status badge to README
nam20485 Feb 15, 2024
57f2294
change dependabot update scan to weekly
nam20485 Feb 15, 2024
103030d
merge to development (#215)
nam20485 Feb 15, 2024
82cf7f0
Bump actions/dependency-review-action from 4.0.0 to 4.1.0
dependabot[bot] Feb 15, 2024
fe6f561
Bump actions/dependency-review-action from 4.0.0 to 4.1.0 (#216)
nam20485 Feb 15, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,14 @@ updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: daily
interval: weekly

- package-ecosystem: pip
directory: /PyOdbDesignServer
schedule:
interval: daily
interval: weekly

- package-ecosystem: docker
directory: /
schedule:
interval: daily
interval: weekly
15 changes: 10 additions & 5 deletions .github/workflows/cmake-multi-platform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,15 +51,20 @@ jobs:

steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# add problem matchers by compiler
- name: Add Problem Matchers
uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master
uses: ammaraskar/msvc-problem-matcher@1ebcb382869bfdc2cc645e8a2a43b6d319ea1cc0 # master
if: matrix.os == 'windows-2022'
- name: Add Problem Matchers
uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master
if: matrix.os != 'windows-2022'

- name: Install vcpkg Dependencies
Expand Down Expand Up @@ -148,7 +153,7 @@ jobs:
repository: 'nam20485/OdbDesignTestData'
path: 'OdbDesignTestData'
ref: 'main'
token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }}
#token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }}

- name : Export ODB_TEST_DATA_DIR
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
Expand All @@ -165,7 +170,7 @@ jobs:

# report test results
- name: Report Test Results
uses: dorny/test-reporter@v1.7.0
uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0
if: steps.cmake-test.outcome == 'success' || steps.cmake-test.outcome == 'failure'
with:
name: ${{ matrix.os }}_test-results
Expand Down Expand Up @@ -207,7 +212,7 @@ jobs:
Compress-Archive -Path "${{env.ARTIFACTS_DIR_WIN}}\*.dll","${{env.ARTIFACTS_DIR_WIN}}\*.exe" -DestinationPath "${{env.ARTIFACTS_DIR_WIN}}\artifacts-${{matrix.os}}.zip" -Verbose -Force

- name: Upload Artifacts
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ matrix.os }}-artifacts
path: ${{ env.ARTIFACTS_DIR }}/artifacts-${{matrix.os}}.zip
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,17 @@ jobs:
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
uses: github/codeql-action/init@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
with:
languages: ${{ matrix.language }}
config-file: ${{ github.workspace }}/.github/codeql-config.yml
Expand Down Expand Up @@ -78,6 +83,6 @@ jobs:
run: cmake --build --preset linux-release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
uses: github/codeql-action/analyze@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
with:
category: "/language:${{matrix.language}}"
7 changes: 6 additions & 1 deletion .github/workflows/create-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,11 @@ jobs:

steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Check Dispatch ID
run: |
if [[ "${{ github.event.client_payload.dispatch_id }}" == "${{ secrets.DISPATCH_ID }}" ]]; then
Expand All @@ -42,7 +47,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Download Artifacts
uses: dawidd6/[email protected]
uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0
with:
workflow: cmake-multi-platform.yml
workflow_conclusion: success
Expand Down
17 changes: 14 additions & 3 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,27 @@ permissions:
contents: read

jobs:

dependency-review:
runs-on: ubuntu-latest
permissions:
runs-on: ubuntu-22.04
permissions:
id-token: write
contents: write
pull-requests: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Component detection
uses: advanced-security/component-detection-dependency-submission-action@5a8ce4ad8c6fbb9b88f66f672014e44b427d7d54 # v0.0.2

- name: 'Dependency Review'
uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa # v4.1.0
with:
comment-summary-in-pr: true
33 changes: 24 additions & 9 deletions .github/workflows/deploy-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,14 @@ on:
repository_dispatch:
types: [ "trigger_deploy_release_event" ]

# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
cancel-in-progress: false

env:
AWS_REGION: us-west-2 # set this to your preferred AWS region, e.g. us-west-1
AWS_REGION: us-west-2

permissions:
contents: read
Expand All @@ -18,10 +24,17 @@ jobs:
deploy:
name: Deploy
runs-on: ubuntu-22.04
environment: production
environment:
name: ${{ github.event.client_payload.ref_name }}
url: http://default-ingress-1165108808.us-west-2.elb.amazonaws.com/swagger

steps:

- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Check Dispatch ID
run: |
if [[ "${{ github.event.client_payload.dispatch_id }}" == "${{ secrets.DISPATCH_ID }}" ]]; then
Expand All @@ -32,24 +45,26 @@ jobs:
fi

- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install AWS CLI
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
aws --version
# curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
# unzip awscliv2.zip
# sudo ./aws/install
# aws --version

- name: Configure AWS credentials
uses: aws-actions/[email protected].1
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}

- name: Configure kubectl via Secret Env
run: |
- name: Configure kubectl
run: |
aws --version
echo ${{ secrets.KUBECONFIG }} > ${{ github.workspace }}/kubeconfig
export KUBECONFIG=${{ github.workspace }}/kubeconfig
echo $KUBECONFIG
Expand Down
15 changes: 10 additions & 5 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,18 +36,23 @@ jobs:
id-token: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# add problem matchers
- name: Add Problem Matchers
uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master

# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: cosign-installer
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0

# Workaround: https://github.com/docker/build-push-action/issues/461
- name: Setup Docker buildx
Expand All @@ -67,7 +72,7 @@ jobs:
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
Expand Down Expand Up @@ -106,8 +111,8 @@ jobs:

- name: Trigger Deploy and Release Workflows
if: github.ref_name == 'release' && github.event_name == 'push'
uses: peter-evans/[email protected]
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
repository: ${{ github.repository }}
event-type: trigger_deploy_release_event
client-payload: '{"ref": "${{ github.ref_name }}", "dispatch_id": "${{ secrets.DISPATCH_ID }}"}'
client-payload: '{"ref_name": "${{ github.ref_name }}", "dispatch_id": "${{ secrets.DISPATCH_ID }}"}'
15 changes: 10 additions & 5 deletions .github/workflows/docker-scout-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,17 @@ jobs:
if: github.event_name != 'pull_request' || github.base_ref != 'development' || github.head_ref == 'nam20485'

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# add problem matchers
- name: Add Problem Matchers
uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master

# # Install the cosign tool except on PR
# # https://github.com/sigstore/cosign-installer
Expand Down Expand Up @@ -83,7 +88,7 @@ jobs:
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.IMAGE_NAME }}
tags: |
Expand Down Expand Up @@ -128,7 +133,7 @@ jobs:
- name: Analyze for critical and high CVEs
id: docker-scout-cves
# if: ${{ github.event_name != 'pull_request_target' }}
uses: docker/scout-action@42a6acc319ac229f86e12bfca3b83de09fb058be # v1.3.0
uses: docker/scout-action@4a5494eb7c2b3d712b805ee65ad57a0371d50874 # v1.4.1
with:
command: cves,recommendations
image: ${{ steps.meta.outputs.tags }}
Expand All @@ -138,14 +143,14 @@ jobs:

- name: Upload SARIF result
id: upload-sarif
uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
with:
sarif_file: sarif.output.json

- name: Docker Scout Compare to Latest
id: docker-scout
if: ${{ github.event_name == 'pull_request' }}
uses: docker/scout-action@42a6acc319ac229f86e12bfca3b83de09fb058be # v1.3.0
uses: docker/scout-action@4a5494eb7c2b3d712b805ee65ad57a0371d50874 # v1.4.1
with:
command: compare
image: ${{ steps.meta.outputs.tags }}
Expand Down
64 changes: 64 additions & 0 deletions .github/workflows/jekyll-gh-pages.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
name: Deploy Jekyll with GitHub Pages dependencies preinstalled

on:
# Runs on pushes targeting the default branch
push:
branches: ["release"]

# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write

# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
concurrency:
group: "pages"
cancel-in-progress: false

jobs:
# Build job
build:
runs-on: ubuntu-22.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Setup Pages
uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0

- name: Build with Jekyll
uses: actions/jekyll-build-pages@3ef60073fe85b3ccba7e900c2ebf9d7542dc7a8f # v1.0.11
with:
source: ./docs
destination: ./_site

- name: Upload artifact
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1

# Deployment job
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
needs: build
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit

- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4
Loading
Loading