From 12782b93fdf3703d3d1341190099da6ffe3b60d3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Apr 2024 03:30:11 +0000 Subject: [PATCH 1/3] [Dependencies]: Bump step-security/harden-runner from 2.7.0 to 2.7.1 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.7.0 to 2.7.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/v2.7.0...v2.7.1) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/approve-dependabot.yml | 8 ++++---- .../workflows/build-and-publish-pre-release.yml | 2 +- .github/workflows/build-and-publish-release.yml | 2 +- .../workflows/create-prs-for-stale-branches.yml | 2 +- .github/workflows/dependabot.yml | 2 +- .github/workflows/dotnet-version.yml | 2 +- .github/workflows/merge-dependabot.yml | 2 +- .github/workflows/on-pr-closed.yml | 2 +- .github/workflows/pr-lint.yml | 16 ++++++++-------- .github/workflows/pr-update.yml | 6 +++--- .github/workflows/pull-request.yml | 2 +- .github/workflows/reformat-sql.yml | 2 +- .github/workflows/reformat-yaml.yml | 2 +- .github/workflows/update-labels.yml | 2 +- 14 files changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/approve-dependabot.yml b/.github/workflows/approve-dependabot.yml index 73897239..358c24ea 100644 --- a/.github/workflows/approve-dependabot.yml +++ b/.github/workflows/approve-dependabot.yml @@ -35,7 +35,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -84,7 +84,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -131,7 +131,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -178,7 +178,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/build-and-publish-pre-release.yml b/.github/workflows/build-and-publish-pre-release.yml index 136d8f11..9bb8006a 100644 --- a/.github/workflows/build-and-publish-pre-release.yml +++ b/.github/workflows/build-and-publish-pre-release.yml @@ -33,7 +33,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: block disable-sudo: true diff --git a/.github/workflows/build-and-publish-release.yml b/.github/workflows/build-and-publish-release.yml index 4987bbb1..4f9c076f 100644 --- a/.github/workflows/build-and-publish-release.yml +++ b/.github/workflows/build-and-publish-release.yml @@ -27,7 +27,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: block disable-sudo: true diff --git a/.github/workflows/create-prs-for-stale-branches.yml b/.github/workflows/create-prs-for-stale-branches.yml index abd530c9..f0c1321f 100644 --- a/.github/workflows/create-prs-for-stale-branches.yml +++ b/.github/workflows/create-prs-for-stale-branches.yml @@ -74,7 +74,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index cf860eb1..70f5d5ce 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -23,7 +23,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/dotnet-version.yml b/.github/workflows/dotnet-version.yml index b303e74d..e8332a27 100644 --- a/.github/workflows/dotnet-version.yml +++ b/.github/workflows/dotnet-version.yml @@ -28,7 +28,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/merge-dependabot.yml b/.github/workflows/merge-dependabot.yml index eb65d0a8..c9c2ae79 100644 --- a/.github/workflows/merge-dependabot.yml +++ b/.github/workflows/merge-dependabot.yml @@ -42,7 +42,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/on-pr-closed.yml b/.github/workflows/on-pr-closed.yml index 7b5a6e7f..4e8e797a 100644 --- a/.github/workflows/on-pr-closed.yml +++ b/.github/workflows/on-pr-closed.yml @@ -15,7 +15,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index 85b0e6a5..e9568b4f 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -96,7 +96,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -228,7 +228,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -271,7 +271,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -306,7 +306,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -341,7 +341,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -377,7 +377,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -424,7 +424,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -461,7 +461,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/pr-update.yml b/.github/workflows/pr-update.yml index 2555b917..5a3fc286 100644 --- a/.github/workflows/pr-update.yml +++ b/.github/workflows/pr-update.yml @@ -26,7 +26,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -67,7 +67,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true @@ -104,7 +104,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index a8636d0c..9b209084 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -54,7 +54,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/reformat-sql.yml b/.github/workflows/reformat-sql.yml index 6ff11a72..b71256a8 100644 --- a/.github/workflows/reformat-sql.yml +++ b/.github/workflows/reformat-sql.yml @@ -34,7 +34,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/reformat-yaml.yml b/.github/workflows/reformat-yaml.yml index 0dbffba9..de3e76c4 100644 --- a/.github/workflows/reformat-yaml.yml +++ b/.github/workflows/reformat-yaml.yml @@ -35,7 +35,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true diff --git a/.github/workflows/update-labels.yml b/.github/workflows/update-labels.yml index bb99c941..c3cb22bd 100644 --- a/.github/workflows/update-labels.yml +++ b/.github/workflows/update-labels.yml @@ -24,7 +24,7 @@ jobs: run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" - name: "Harden Security" - uses: step-security/harden-runner@v2.7.0 + uses: step-security/harden-runner@v2.7.1 with: egress-policy: audit disable-sudo: true From ac23fcd49337c3d64a81f0c2c68db1314257ab6a Mon Sep 17 00:00:00 2001 From: Mark Ridgwell Date: Tue, 30 Apr 2024 13:58:08 +0100 Subject: [PATCH 2/3] conditional --- .../build-and-publish-pre-release.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/.github/workflows/build-and-publish-pre-release.yml b/.github/workflows/build-and-publish-pre-release.yml index 9bb8006a..26a57c8c 100644 --- a/.github/workflows/build-and-publish-pre-release.yml +++ b/.github/workflows/build-and-publish-pre-release.yml @@ -102,6 +102,7 @@ jobs: }>> "$GITHUB_OUTPUT" - name: "Build and deploy" + if: startsWith(runner.name, 'buildagent-') uses: ./.github/actions/build with: PRODUCTION_BUILD: False @@ -133,6 +134,39 @@ jobs: REPO_VISIBILITY: ${{env.REPO_STATUS}} CREATE_RELEASE: false + - name: "Build and deploy" + if: !startsWith(runner.name, 'buildagent-') + uses: ./.github/actions/build + with: + PRODUCTION_BUILD: False + NPM_PRODUCTION_PACKAGER_VERSION: ${{vars.PRODUCTION_PACKAGER_VERSION}} + NPM_CONTENT_PACKAGE_WALLET_PASSWORD: ${{secrets.CONTENT_PACKAGE_WALLET_PASSWORD}} + NPM_PACKAGE_STORE_SIGNING_WALLET: ${{secrets.PACKAGE_STORE_SIGNING_WALLET}} + NPM_PACKAGE_STORE_SIGNING_WALLET_PASSWORD: ${{secrets.PACKAGE_STORE_SIGNING_WALLET_PASSWORD}} + NUGET_PUBLIC_RESTORE_FEED_CACHE: '' + NUGET_PUBLIC_RESTORE_FEED: ${{vars.NUGET_PUBLIC_RESTORE_FEED}} + NUGET_ADDITIONAL_RESTORE_FEED_RELEASE_CACHE: '' + NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE_CACHE: '' + NUGET_ADDITIONAL_RESTORE_FEED_RELEASE: ${{vars.NUGET_ADDITIONAL_RESTORE_FEED_RELEASE}} + NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE: ${{vars.NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE}} + NUGET_PACK: ${{vars.NUGET_PACK}} + NUGET_FEED: ${{secrets.NUGET_FEED}} + NUGET_SYMBOL_FEED: ${{secrets.NUGET_SYMBOL_FEED}} + NUGET_API_KEY: ${{secrets.NUGET_API_KEY}} + SLEET_CONFIG: ${{secrets.SLEET_CONFIG}} + SLEET_FEED: "dotnet-prerelease" + OCTOPUS_SERVER: ${{vars.OCTOPUS_SERVER}} + OCTOPUS_SPACE_NAME: ${{vars.OCTOPUS_SPACE}} + OCTOPUS_PROJECT: ${{vars.OCTOPUS_PROJECT}} + OCTOPUS_CHANNEL: ${{vars.OCTOPUS_PRERELEASE_CHANNEL}} + OCTOPUS_DEPLOY_TO: ${{vars.OCTOPUS_DEPLOYTO_PRERELEASE}} + OCTOPUS_API_KEY: ${{secrets.OCTOPUS_API_KEY}} + OCTOPUS_DEPLOY_PACKAGE: ${{vars.OCTOPUS_DEPLOY_PACKAGE}} + OCTOPUS_DEPLOY_PACKAGE_ZIP: ${{vars.OCTOPUS_DEPLOY_PACKAGE_ZIP}} + GITHUB_TOKEN: ${{secrets.SOURCE_PUSH_TOKEN}} + REPO_VISIBILITY: ${{env.REPO_STATUS}} + CREATE_RELEASE: false + - name: "Build Version" uses: actions/github-script@v7.0.1 with: From a04ce78cfa73473115cc2b1268f62bd4f7b0d552 Mon Sep 17 00:00:00 2001 From: Mark Ridgwell Date: Tue, 30 Apr 2024 14:13:59 +0100 Subject: [PATCH 3/3] Revert "conditional" This reverts commit ac23fcd49337c3d64a81f0c2c68db1314257ab6a. --- .../build-and-publish-pre-release.yml | 34 ------------------- 1 file changed, 34 deletions(-) diff --git a/.github/workflows/build-and-publish-pre-release.yml b/.github/workflows/build-and-publish-pre-release.yml index 26a57c8c..9bb8006a 100644 --- a/.github/workflows/build-and-publish-pre-release.yml +++ b/.github/workflows/build-and-publish-pre-release.yml @@ -102,7 +102,6 @@ jobs: }>> "$GITHUB_OUTPUT" - name: "Build and deploy" - if: startsWith(runner.name, 'buildagent-') uses: ./.github/actions/build with: PRODUCTION_BUILD: False @@ -134,39 +133,6 @@ jobs: REPO_VISIBILITY: ${{env.REPO_STATUS}} CREATE_RELEASE: false - - name: "Build and deploy" - if: !startsWith(runner.name, 'buildagent-') - uses: ./.github/actions/build - with: - PRODUCTION_BUILD: False - NPM_PRODUCTION_PACKAGER_VERSION: ${{vars.PRODUCTION_PACKAGER_VERSION}} - NPM_CONTENT_PACKAGE_WALLET_PASSWORD: ${{secrets.CONTENT_PACKAGE_WALLET_PASSWORD}} - NPM_PACKAGE_STORE_SIGNING_WALLET: ${{secrets.PACKAGE_STORE_SIGNING_WALLET}} - NPM_PACKAGE_STORE_SIGNING_WALLET_PASSWORD: ${{secrets.PACKAGE_STORE_SIGNING_WALLET_PASSWORD}} - NUGET_PUBLIC_RESTORE_FEED_CACHE: '' - NUGET_PUBLIC_RESTORE_FEED: ${{vars.NUGET_PUBLIC_RESTORE_FEED}} - NUGET_ADDITIONAL_RESTORE_FEED_RELEASE_CACHE: '' - NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE_CACHE: '' - NUGET_ADDITIONAL_RESTORE_FEED_RELEASE: ${{vars.NUGET_ADDITIONAL_RESTORE_FEED_RELEASE}} - NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE: ${{vars.NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE}} - NUGET_PACK: ${{vars.NUGET_PACK}} - NUGET_FEED: ${{secrets.NUGET_FEED}} - NUGET_SYMBOL_FEED: ${{secrets.NUGET_SYMBOL_FEED}} - NUGET_API_KEY: ${{secrets.NUGET_API_KEY}} - SLEET_CONFIG: ${{secrets.SLEET_CONFIG}} - SLEET_FEED: "dotnet-prerelease" - OCTOPUS_SERVER: ${{vars.OCTOPUS_SERVER}} - OCTOPUS_SPACE_NAME: ${{vars.OCTOPUS_SPACE}} - OCTOPUS_PROJECT: ${{vars.OCTOPUS_PROJECT}} - OCTOPUS_CHANNEL: ${{vars.OCTOPUS_PRERELEASE_CHANNEL}} - OCTOPUS_DEPLOY_TO: ${{vars.OCTOPUS_DEPLOYTO_PRERELEASE}} - OCTOPUS_API_KEY: ${{secrets.OCTOPUS_API_KEY}} - OCTOPUS_DEPLOY_PACKAGE: ${{vars.OCTOPUS_DEPLOY_PACKAGE}} - OCTOPUS_DEPLOY_PACKAGE_ZIP: ${{vars.OCTOPUS_DEPLOY_PACKAGE_ZIP}} - GITHUB_TOKEN: ${{secrets.SOURCE_PUSH_TOKEN}} - REPO_VISIBILITY: ${{env.REPO_STATUS}} - CREATE_RELEASE: false - - name: "Build Version" uses: actions/github-script@v7.0.1 with: