From 105ee66c7dde64ef834a4704928820604c167a96 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 12:07:14 +0100 Subject: [PATCH 1/8] update --- .github/workflows/container.yml | 15 +++++++-------- .github/workflows/security-dependencies.yml | 2 +- .github/workflows/security.yml | 8 ++++---- .gitignore | 6 ++---- 4 files changed, 14 insertions(+), 17 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index d58f096..5400b3a 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -1,4 +1,3 @@ -# TODO: Experimental feature name: 'CD -> Container' on: workflow_dispatch: @@ -7,7 +6,7 @@ on: concurrency: group: '${{ github.workflow }}-${{ github.ref }}' - cancel-in-progress: true + cancel-in-progress: false permissions: contents: read @@ -26,9 +25,9 @@ jobs: steps: - name: 'Harden Runner' - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + policy: cd-container - name: 'Checkout' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -52,13 +51,13 @@ jobs: - name: 'Build image' id: build_image - uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master (Update to node20) + uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master (update to node20) with: - containerfiles: ./Containerfile + containerfiles: Containerfile image: ${{ env.IMAGE_NAME }} - platforms: linux/amd64, linux/arm64 + platforms: 'linux/amd64, linux/arm64' tags: ${{ steps.setup_tags.outputs.build_tags }} - oci: false + oci: true - name: 'Push to GHCR' uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 diff --git a/.github/workflows/security-dependencies.yml b/.github/workflows/security-dependencies.yml index 34e6cd9..f46aa8b 100644 --- a/.github/workflows/security-dependencies.yml +++ b/.github/workflows/security-dependencies.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Harden Runner' - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: egress-policy: audit diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0a387a6..17bfa62 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -20,9 +20,9 @@ jobs: steps: - name: 'Harden Runner' - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + policy: ci-security - name: 'Checkout' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -46,9 +46,9 @@ jobs: steps: - name: 'Harden Runner' - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: - egress-policy: audit + policy: ci-security - name: 'Checkout' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 diff --git a/.gitignore b/.gitignore index ef2344d..f63d212 100644 --- a/.gitignore +++ b/.gitignore @@ -83,10 +83,8 @@ web_modules/ # dotenv environment variable files .env -.env.development.local -.env.test.local -.env.production.local -.env.local +.env.* +!.env.example # parcel-bundler cache (https://parceljs.org/) .cache From 2470af4fb73e412f6ecac2a0fc20cf180c3cd331 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 12:16:37 +0100 Subject: [PATCH 2/8] update permissions --- .github/workflows/security.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 17bfa62..f96bad4 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,6 +17,7 @@ jobs: runs-on: ubuntu-latest permissions: security-events: write + id-token: write steps: - name: 'Harden Runner' From a8586ff63cc155811698d0357bc2e877dc97ccc2 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 12:24:40 +0100 Subject: [PATCH 3/8] add missing permission to container.yml --- .github/workflows/container.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 5400b3a..1a57187 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -17,6 +17,7 @@ jobs: name: 'Build container image' runs-on: ubuntu-latest permissions: + id-token: write packages: write env: From 5c75c92c8cf29d4490fdadd1481dac95600f5b42 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 12:38:19 +0100 Subject: [PATCH 4/8] use archs instead --- .github/workflows/container.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 1a57187..b21d525 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -56,7 +56,7 @@ jobs: with: containerfiles: Containerfile image: ${{ env.IMAGE_NAME }} - platforms: 'linux/amd64, linux/arm64' + archs: 'amd64, arm64' tags: ${{ steps.setup_tags.outputs.build_tags }} oci: true From ef13552f91df937a811a4a58ac08fce8dc65e1fc Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 12:50:56 +0100 Subject: [PATCH 5/8] cache layers --- .github/workflows/container.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index b21d525..77c2417 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -54,11 +54,12 @@ jobs: id: build_image uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master (update to node20) with: + archs: 'amd64, arm64' containerfiles: Containerfile image: ${{ env.IMAGE_NAME }} - archs: 'amd64, arm64' - tags: ${{ steps.setup_tags.outputs.build_tags }} + layers: true oci: true + tags: ${{ steps.setup_tags.outputs.build_tags }} - name: 'Push to GHCR' uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 From e16cb5a3c8018f70c71a55c0cbe0d312fc34642c Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 20:23:30 +0100 Subject: [PATCH 6/8] fix CI/CD --- .github/workflows/container.yml | 28 +++++++++++---------- .github/workflows/security-dependencies.yml | 3 ++- .github/workflows/security.yml | 28 +++++++++++++++------ 3 files changed, 38 insertions(+), 21 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 77c2417..1c8c57b 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -2,10 +2,11 @@ name: 'CD -> Container' on: workflow_dispatch: push: - branches: ['stable'] + branches: + - stable concurrency: - group: '${{ github.workflow }}-${{ github.ref }}' + group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false permissions: @@ -21,8 +22,8 @@ jobs: packages: write env: - REGISTRY: 'ghcr.io' - IMAGE_NAME: '${{ github.repository }}' + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }} steps: - name: 'Harden Runner' @@ -35,10 +36,11 @@ jobs: - name: 'Setup QEMU' run: | - sudo apt-get update && sudo apt-get install -y qemu-user-static + sudo apt-get update + sudo apt-get install -y qemu-user-static - name: 'Setup tags' - id: setup_tags + id: setup-tags run: | TIMESTAMP="$(date +%Y.%m.%d)" SHA_SHORT="${GITHUB_SHA::7}" @@ -48,18 +50,18 @@ jobs: TAGS+=("${GITHUB_SHA}") TAGS+=("${TIMESTAMP}-${SHA_SHORT}") - echo "build_tags=${TAGS[*]}" >> $GITHUB_OUTPUT + echo "build-tags=${TAGS[*]}" >> $GITHUB_OUTPUT - name: 'Build image' - id: build_image - uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master (update to node20) + id: build-image + uses: redhat-actions/buildah-build@c79846fb306beeba490e89fb75d2d1af95831e79 # master with: - archs: 'amd64, arm64' + archs: amd64, arm64 containerfiles: Containerfile image: ${{ env.IMAGE_NAME }} layers: true oci: true - tags: ${{ steps.setup_tags.outputs.build_tags }} + tags: ${{ steps.setup-tags.outputs.build-tags }} - name: 'Push to GHCR' uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1 @@ -68,8 +70,8 @@ jobs: REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} with: - image: ${{ steps.build_image.outputs.image }} - tags: ${{ steps.build_image.outputs.tags }} + image: ${{ steps.build-image.outputs.image }} + tags: ${{ steps.build-image.outputs.tags }} registry: ${{ env.REGISTRY }} username: ${{ env.REGISTRY_USER }} password: ${{ env.REGISTRY_PASSWORD }} diff --git a/.github/workflows/security-dependencies.yml b/.github/workflows/security-dependencies.yml index f46aa8b..045a91e 100644 --- a/.github/workflows/security-dependencies.yml +++ b/.github/workflows/security-dependencies.yml @@ -1,6 +1,7 @@ # TODO: Experimental feature name: 'CI -> Security-Dependencies' -on: [pull_request] +on: + - pull_request permissions: contents: read diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index f96bad4..e7b97b1 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -2,12 +2,20 @@ name: 'CI -> Security' on: schedule: - cron: '33 3 * * 1' + push: - branches: ['dev'] - paths-ignore: ['*.md', '.*ignore'] + branches: + - dev + paths-ignore: + - '*.md' + - '.*ignore' + pull_request: - branches: ['dev'] - paths-ignore: ['*.md', '.*ignore'] + branches: + - dev + paths-ignore: + - '*.md' + - '.*ignore' permissions: read-all @@ -15,6 +23,12 @@ jobs: codeql: name: 'CodeQL analysis' runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + language: + - javascript-typescript + permissions: security-events: write id-token: write @@ -31,12 +45,12 @@ jobs: - name: 'Setup CodeQL' uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 with: - languages: '${{ matrix.language }}' + languages: ${{ matrix.language }} - name: 'Run analysis' uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 with: - category: '/language:javascript-typescript' + category: '/language:${{ matrix.language }}' scoreboard: name: 'Scorecard analysis' @@ -61,7 +75,7 @@ jobs: with: results_file: scoreboard.sarif results_format: sarif - publish_results: true + publish_results: false - name: 'Upload to code-scanning' uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 From 934f15c257a5cfadc3a1aecab873408dc7e16731 Mon Sep 17 00:00:00 2001 From: Ivan Gabaldon Date: Fri, 9 Feb 2024 20:24:23 +0100 Subject: [PATCH 7/8] add dependabot --- .github/dependabot.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..7188976 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: '/' + target-branch: dev + schedule: + interval: weekly + assignees: + - inetol + commit-message: + prefix: GHA + include: scope + labels: + - dependency From e9a5a69afdce6d89523433ac72123dd383b3c9b4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Feb 2024 19:24:54 +0000 Subject: [PATCH 8/8] GHA(deps): Bump github/codeql-action from 3.23.2 to 3.24.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.2 to 3.24.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/b7bf0a3ed3ecfa44160715d7c442788f65f0f923...e8893c57a1f3a2b659b6b55564fdfdbbd2982911) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/security.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index e7b97b1..4f60884 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -43,12 +43,12 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: 'Setup CodeQL' - uses: github/codeql-action/init@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 + uses: github/codeql-action/init@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 with: languages: ${{ matrix.language }} - name: 'Run analysis' - uses: github/codeql-action/analyze@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 + uses: github/codeql-action/analyze@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 with: category: '/language:${{ matrix.language }}' @@ -78,6 +78,6 @@ jobs: publish_results: false - name: 'Upload to code-scanning' - uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2 + uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0 with: sarif_file: scoreboard.sarif