Skip to content

[Dependencies]: Bump step-security/harden-runner from 2.8.1 to 2.9.0 #323

[Dependencies]: Bump step-security/harden-runner from 2.8.1 to 2.9.0

[Dependencies]: Bump step-security/harden-runner from 2.8.1 to 2.9.0 #323

Workflow file for this run

--- # Linting of pull requests
name: "PR: Lint"
on:
pull_request:
types: [opened, edited, synchronize, reopened, ready_for_review, unlocked]
branches:
- main
permissions:
contents: read
concurrency:
group: ${{github.workflow}}-${{github.ref}}
cancel-in-progress: true
env:
HEAD_REF: ${{github.head_ref}}
BASE_REF: ${{github.base_ref}}
jobs:
info:
if: endsWith(github.repository, '-template')
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Info"
uses: actions/[email protected]
with:
script: |
core.info('Branch: ${{env.HEAD_REF}}');
core.info('Base Branch: ${{env.BASE_REF}}');
core.info('Repo: ${{github.repository}}');
core.info('Owner: ${{github.repository_owner}}');
# include-JIRA-ticket:
# if: github.event.pull_request.draft == false
# runs-on: [self-hosted, linux]
# steps:
# - name: "Initialise Workspace"
# if: startsWith(runner.name, 'buildagent-')
# shell: bash
# run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
# - name: "Checkout Source"
# uses: actions/[email protected]
# with:
# fetch-depth: 0
# fetch-tags: true
# - if: |-
# !endsWith(github.repository, '-template')
# && !startsWith(github.head_ref, 'release/')
# && !startsWith(github.head_ref, 'hotfix/')
# uses: seferov/[email protected]
# with:
# title-regex: '^\[FF\-\d*?\](:)?(\ )'
# error-message: 'Add Jira Ticket ID to your title'
include-changelog-entry:
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Checkout Source"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Diff Changes"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
shell: bash
run: echo "CHANGES=$(git diff --exit-code --no-patch --merge-base origin/main CHANGELOG.md 2> /dev/null && echo 0 || echo $?)" >> "$GITHUB_ENV"
- name: "Report unchanged"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) && env.CHANGES == '0'
uses: actions/[email protected]
with:
script: |
core.setFailed('Changelog has not changed')
change-log-entry-is-in-unreleased:
if: github.event.pull_request.draft == false
# As LibGit2Sharp doesn't work on 20.04
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Get version from global.json"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
uses: credfeto/[email protected]
with:
file: src/global.json
fallback: 8.0.*
- name: "Install dotnet"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
uses: actions/[email protected]
env:
GITHUB_TOKEN: ${{secrets.SOURCE_PUSH_TOKEN}}
DDOTNET_ROOT: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}"
DOTNET_INSTALL_DIR: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}"
DOTNET_MULTILEVEL_LOOKUP: "false"
DOTNET_NOLOGO: "true"
DOTNET_PRINT_TELEMETRY_MESSAGE: "false"
DOTNET_JitCollect64BitCounts: "1"
DOTNET_ReadyToRun: "0"
DOTNET_TC_QuickJitForLoops: "1"
DOTNET_TC_CallCountingDelayMs: "0"
DOTNET_TieredPGO: "1"
MSBUILDTERMINALLOGGER: "auto"
with:
dotnet-version: |
6.0.*
7.0.*
8.0.*
${{env.DOTNET_VERSION}}
- name: "Check Runner details"
uses: actions/[email protected]
with:
script: |
core.info('Name: ${{runner.name}}');
core.info('OS: ${{runner.os}}');
- name: "Enable Local nuget feeds if caching"
if: startsWith(runner.name, 'buildagent-')
id: nuget-local-cache
shell: bash
run: |
{
echo "NUGET_BAGET_CACHE=${{vars.NUGET_BAGET_CACHE}}"
echo "PRERELEASE_BAGET_CACHE=${{vars.PRERELEASE_BAGET_CACHE}}"
echo "RELEASE_BAGET_CACHE=${{vars.RELEASE_BAGET_CACHE}}"
}>> "$GITHUB_OUTPUT"
- name: "Configure nuget feeds"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
uses: ./.github/actions/nuget
with:
NUGET_PUBLIC_RESTORE_FEED_CACHE: ${{steps.nuget-local-cache.outputs.NUGET_BAGET_CACHE}}
NUGET_PUBLIC_RESTORE_FEED: ${{vars.NUGET_PUBLIC_RESTORE_FEED}}
NUGET_ADDITIONAL_RESTORE_FEED_RELEASE_CACHE: ${{steps.nuget-local-cache.outputs.RELEASE_BAGET_CACHE}}
NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE_CACHE: ""
NUGET_ADDITIONAL_RESTORE_FEED_RELEASE: ${{vars.NUGET_ADDITIONAL_RESTORE_FEED_RELEASE}}
NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE: ""
- name: "Enable dotnet tools"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
shell: bash
run: dotnet new tool-manifest
env:
DDOTNET_ROOT: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}"
DOTNET_INSTALL_DIR: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}"
DOTNET_MULTILEVEL_LOOKUP: "false"
DOTNET_NOLOGO: "true"
DOTNET_PRINT_TELEMETRY_MESSAGE: "false"
DOTNET_JitCollect64BitCounts: "1"
DOTNET_ReadyToRun: "0"
DOTNET_TC_QuickJitForLoops: "1"
DOTNET_TC_CallCountingDelayMs: "0"
DOTNET_TieredPGO: "1"
MSBUILDTERMINALLOGGER: "auto"
- name: "Install Changelog tool"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
uses: ./.github/actions/dotnet-tool
with:
TOOL_NAME: Credfeto.ChangeLog.Cmd
TOOL_VERSION: latest
- name: "Check Changelog"
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template'))
shell: bash
run: dotnet changelog --changelog CHANGELOG.md --check-insert "origin/${{github.base_ref}}"
env:
DDOTNET_ROOT: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}"
DOTNET_INSTALL_DIR: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}"
DOTNET_MULTILEVEL_LOOKUP: "false"
DOTNET_NOLOGO: "true"
DOTNET_PRINT_TELEMETRY_MESSAGE: "false"
DOTNET_JitCollect64BitCounts: "1"
DOTNET_ReadyToRun: "0"
DOTNET_TC_QuickJitForLoops: "1"
DOTNET_TC_CallCountingDelayMs: "0"
DOTNET_TieredPGO: "1"
MSBUILDTERMINALLOGGER: "auto"
does-not-contain-secrets:
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Check for leaks"
uses: DariuszPorowski/[email protected]
id: gitleaks
with:
config: .gitleaks.toml
report_format: "sarif"
fail: true
redact: true
verbose: true
log_level: info
has-no-merge-conflicts:
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Check for merge conflicts"
uses: olivernybroe/[email protected]
has-no-file-or-folder-case-sensitivity-issues:
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Check for case conflicts"
uses: credfeto/[email protected]
no-ignored-files:
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Check for ignored files"
uses: credfeto/[email protected]
dependency-review:
# Check that there are no dependencies with security problems in the PR
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Check repo visibility"
uses: credfeto/[email protected]
id: visibility
with:
# optional parameter defaults to the current repo
repository: ${{github.repository}}
# optional parameter defaults to the current user
token: ${{github.token}}
- name: "Checkout Source"
if: steps.visibility.outputs.is_public == 'true'
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: 'Dependency Review'
if: steps.visibility.outputs.is_public == 'true'
uses: actions/[email protected]
no-merge-commits:
# Check that there are no merge commits in the PR
if: github.event.pull_request.draft == false
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Check for merge commits"
uses: greenled/[email protected]
lint-code:
if: |-
github.event.pull_request.draft == false &&
( !startsWith(github.head_ref, 'release/') && !startsWith(github.head_ref, 'hotfix/') )
runs-on: [self-hosted, linux]
steps:
- name: "Initialise Workspace"
if: startsWith(runner.name, 'buildagent-')
shell: bash
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE"
- name: "Harden Security"
uses: step-security/[email protected]
with:
egress-policy: audit
disable-sudo: true
allowed-endpoints: >
api.github.com:443
api.osv.dev:443
api.securityscorecards.dev:443
codeload.github.com:443
fulcio.sigstore.dev:443
github.com:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
www.bestpractices.dev:443
- name: "Checkout Source"
uses: actions/[email protected]
with:
fetch-depth: 0
fetch-tags: true
- name: "Run Linter"
uses: github/super-linter@v6
env:
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{secrets.SOURCE_PUSH_TOKEN}}
MULTI_STATUS: true
VALIDATE_ALL_CODEBASE: false
VALIDATE_ANSIBLE: true
VALIDATE_BASH: true
VALIDATE_CSS: true
VALIDATE_ENV: true
VALIDATE_DOCKERFILE: true
VALIDATE_DOCKERFILE_HADOLINT: true
VALIDATE_GITHUB_ACTIONS: true
VALIDATE_JSON: true
VALIDATE_MD: true
VALIDATE_POWERSHELL: true
VALIDATE_PYTHON: true
VALIDATE_PYTHON_PYLINT: true
VALIDATE_SQL: true
VALIDATE_TYPESCRIPT_ES: true
VALIDATE_XML: true
VALIDATE_YAML: true