From 2017210e835866ee52bdfc72695db653862d117e Mon Sep 17 00:00:00 2001 From: Benjamen Meyer Date: Fri, 24 Nov 2023 17:43:27 -0500 Subject: [PATCH 1/5] Enhancement: Update the GH Actions - move checkout to latest (v4.1.1) - move upload artifacts to latest (v3.1.3) - move codeql-action to v2 (best version I can find) - update the scorecard analysis and move vesions to latest --- .github/workflows/Windows-CI.yml | 4 ++-- .github/workflows/codeql.yml | 7 +++++-- .github/workflows/fortify-on-demand-scan.yml | 2 +- .github/workflows/gh-actions-pr.yml | 4 ++-- .github/workflows/gh-actions-release.yml | 2 +- .github/workflows/macos-ci.yml | 4 ++-- .github/workflows/scorecards-analysis.yml | 10 ++++++---- 7 files changed, 19 insertions(+), 14 deletions(-) diff --git a/.github/workflows/Windows-CI.yml b/.github/workflows/Windows-CI.yml index 300fc36810..e275ffa111 100644 --- a/.github/workflows/Windows-CI.yml +++ b/.github/workflows/Windows-CI.yml @@ -107,7 +107,7 @@ jobs: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3 + uses: actions/checkout@v4.1.1 - name: "Create directory '${{ env.VCPKG_DEFAULT_BINARY_CACHE }}'" run: mkdir -p $VCPKG_DEFAULT_BINARY_CACHE @@ -155,7 +155,7 @@ jobs: run: .\script\test.ps1 -Generator ${{ matrix.cmake-generator }} -EnablePIE ${{ matrix.enable-pie }} -BuildType ${{ matrix.build-type }} - name: Upload test results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2 + uses: actions/upload-artifact@v3.1.3 if: failure() with: name: test_results_xml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 4129bcda24..a6d75fe9ad 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,9 +27,10 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5 + uses: github/codeql-action/init@v2 with: languages: ${{ matrix.language }} + tools: codeql-bundle.tar.gz - name: Bootstrap and Build the Code run: | @@ -37,4 +38,6 @@ jobs: script/build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5 + uses: github/codeql-action/analyze@v2 + with: + tools: codeql-bundle.tar.gz diff --git a/.github/workflows/fortify-on-demand-scan.yml b/.github/workflows/fortify-on-demand-scan.yml index 501d22cee3..545b314035 100644 --- a/.github/workflows/fortify-on-demand-scan.yml +++ b/.github/workflows/fortify-on-demand-scan.yml @@ -16,7 +16,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3 + - uses: actions/checkout@v4.1.1 - name: Fortify on Demand Scan # You may pin to the exact commit or the version. diff --git a/.github/workflows/gh-actions-pr.yml b/.github/workflows/gh-actions-pr.yml index 169da267c2..fd3ebea93f 100644 --- a/.github/workflows/gh-actions-pr.yml +++ b/.github/workflows/gh-actions-pr.yml @@ -329,7 +329,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3 + uses: actions/checkout@v4.1.1 with: fetch-depth: 2 submodules: false @@ -365,7 +365,7 @@ jobs: # run: ctest -V - name: Upload test results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2 + uses: actions/upload-artifact@v3.1.3 if: failure() with: name: test_results_xml diff --git a/.github/workflows/gh-actions-release.yml b/.github/workflows/gh-actions-release.yml index b0b3014dbb..d255376ca3 100644 --- a/.github/workflows/gh-actions-release.yml +++ b/.github/workflows/gh-actions-release.yml @@ -160,7 +160,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3 + uses: actions/checkout@v4.1.1 with: fetch-depth: 2 submodules: false diff --git a/.github/workflows/macos-ci.yml b/.github/workflows/macos-ci.yml index c8c41152f8..746d0f9367 100644 --- a/.github/workflows/macos-ci.yml +++ b/.github/workflows/macos-ci.yml @@ -66,7 +66,7 @@ jobs: run: brew install openal-soft - name: Check out repository - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 + uses: actions/checkout@v4.1.1 with: fetch-depth: 2 submodules: false @@ -92,7 +92,7 @@ jobs: run: ctest -V - name: Upload test results - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2 + uses: actions/upload-artifact@v3.1.3 if: failure() with: name: test_results_xml diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 58336adac4..d118dc230a 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -19,15 +19,16 @@ jobs: security-events: write actions: read contents: read + id-token: write steps: - name: "Check out code" - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2 + uses: actions/checkout@v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1 + uses: ossf/scorecard-action@v2.3.1 with: results_file: results.sarif results_format: sarif @@ -42,7 +43,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2 + uses: actions/upload-artifact@v3.1.3 with: name: SARIF file path: results.sarif @@ -50,6 +51,7 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26 + uses: github/codeql-action/upload-sarif@v2 with: sarif_file: results.sarif + tools: codeql-bundle.tar.gz From 9a544c385fdbae87b5bbeb096dee0eac72580bba Mon Sep 17 00:00:00 2001 From: Benjamen Meyer Date: Fri, 24 Nov 2023 17:52:08 -0500 Subject: [PATCH 2/5] Bug Fix: codeql bundle needs to be downloaded --- .github/workflows/codeql.yml | 6 ++++++ .github/workflows/scorecards-analysis.yml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a6d75fe9ad..8cb2d7650f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -25,6 +25,12 @@ jobs: with: fetch-depth: 2 + - name: Download benchmark bundle + env: + GH_TOKEN: ${{ github.token }} + run: | + gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' + # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@v2 diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index d118dc230a..537c01a657 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -27,6 +27,12 @@ jobs: with: persist-credentials: false + - name: Download benchmark bundle + env: + GH_TOKEN: ${{ github.token }} + run: | + gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' + - name: "Run analysis" uses: ossf/scorecard-action@v2.3.1 with: From 7542378ab4098e1fe4d027ac1f88d6f910676bd8 Mon Sep 17 00:00:00 2001 From: Benjamen Meyer <1074110+BenjamenMeyer@users.noreply.github.com> Date: Fri, 24 Nov 2023 18:16:53 -0500 Subject: [PATCH 3/5] Update .github/workflows/Windows-CI.yml Co-authored-by: Stephen G Tuggy --- .github/workflows/Windows-CI.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Windows-CI.yml b/.github/workflows/Windows-CI.yml index e275ffa111..7e4e0023bf 100644 --- a/.github/workflows/Windows-CI.yml +++ b/.github/workflows/Windows-CI.yml @@ -107,7 +107,7 @@ jobs: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: checkout - uses: actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - name: "Create directory '${{ env.VCPKG_DEFAULT_BINARY_CACHE }}'" run: mkdir -p $VCPKG_DEFAULT_BINARY_CACHE From b54ba9a74f7aac0f3b93b9b5ba7334b5be128e0a Mon Sep 17 00:00:00 2001 From: Benjamen Meyer Date: Fri, 24 Nov 2023 18:36:47 -0500 Subject: [PATCH 4/5] Feature: lock actions against hash instead of tag --- .github/workflows/README.rst | 12 ++++++++++++ .github/workflows/Windows-CI.yml | 2 +- .github/workflows/codeql.yml | 6 +++--- .github/workflows/fortify-on-demand-scan.yml | 5 ++--- .github/workflows/gh-actions-pr.yml | 4 ++-- .github/workflows/gh-actions-release.yml | 4 ++-- .github/workflows/macos-ci.yml | 4 ++-- .github/workflows/scorecards-analysis.yml | 8 ++++---- 8 files changed, 28 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/README.rst diff --git a/.github/workflows/README.rst b/.github/workflows/README.rst new file mode 100644 index 0000000000..e2317713bd --- /dev/null +++ b/.github/workflows/README.rst @@ -0,0 +1,12 @@ +Vega Strike Git Hub Actions Guidance +==================================== + +VS will allow many actions that are beneficial to the project. +We also apply the OSSF Score Card to our projects. + +To help with reliability of the GH Actions they should be tagged +against the associated release SHA Hash instead of Git Tag. + +References +---------- +- https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash diff --git a/.github/workflows/Windows-CI.yml b/.github/workflows/Windows-CI.yml index 7e4e0023bf..59234d583f 100644 --- a/.github/workflows/Windows-CI.yml +++ b/.github/workflows/Windows-CI.yml @@ -155,7 +155,7 @@ jobs: run: .\script\test.ps1 -Generator ${{ matrix.cmake-generator }} -EnablePIE ${{ matrix.enable-pie }} -BuildType ${{ matrix.build-type }} - name: Upload test results - uses: actions/upload-artifact@v3.1.3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: failure() with: name: test_results_xml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8cb2d7650f..93f69e69fe 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -21,7 +21,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: fetch-depth: 2 @@ -33,7 +33,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3 with: languages: ${{ matrix.language }} tools: codeql-bundle.tar.gz @@ -44,6 +44,6 @@ jobs: script/build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3 with: tools: codeql-bundle.tar.gz diff --git a/.github/workflows/fortify-on-demand-scan.yml b/.github/workflows/fortify-on-demand-scan.yml index 545b314035..c0a5371990 100644 --- a/.github/workflows/fortify-on-demand-scan.yml +++ b/.github/workflows/fortify-on-demand-scan.yml @@ -16,12 +16,11 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@v4.1.1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 - name: Fortify on Demand Scan # You may pin to the exact commit or the version. - # uses: fortify/gha-setup-fod-uploader@636f3c3a14aec1747eec5242a02c6349e4f3cce6 - uses: fortify/gha-setup-fod-uploader@v1.0.1 + uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d #v1.1.3 with: # FoDUploader version to use version: latest diff --git a/.github/workflows/gh-actions-pr.yml b/.github/workflows/gh-actions-pr.yml index fd3ebea93f..8a4b3e640e 100644 --- a/.github/workflows/gh-actions-pr.yml +++ b/.github/workflows/gh-actions-pr.yml @@ -329,7 +329,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: fetch-depth: 2 submodules: false @@ -365,7 +365,7 @@ jobs: # run: ctest -V - name: Upload test results - uses: actions/upload-artifact@v3.1.3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: failure() with: name: test_results_xml diff --git a/.github/workflows/gh-actions-release.yml b/.github/workflows/gh-actions-release.yml index d255376ca3..2b8dc7cfa5 100644 --- a/.github/workflows/gh-actions-release.yml +++ b/.github/workflows/gh-actions-release.yml @@ -160,7 +160,7 @@ jobs: steps: - name: Check out repository - uses: actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: fetch-depth: 2 submodules: false @@ -183,7 +183,7 @@ jobs: IS_RELEASE: 1 run: script/cibuild $FLAGS - name: Upload the artifacts - uses: skx/github-action-publish-binaries@master + uses: skx/github-action-publish-binaries@44887b225ceca96efd8a912d39c09ad70312af31 # master env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} ARTIFACT_EXT: ${{ matrix.ARTIFACT_EXT }} diff --git a/.github/workflows/macos-ci.yml b/.github/workflows/macos-ci.yml index 746d0f9367..81f367ff3b 100644 --- a/.github/workflows/macos-ci.yml +++ b/.github/workflows/macos-ci.yml @@ -66,7 +66,7 @@ jobs: run: brew install openal-soft - name: Check out repository - uses: actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: fetch-depth: 2 submodules: false @@ -92,7 +92,7 @@ jobs: run: ctest -V - name: Upload test results - uses: actions/upload-artifact@v3.1.3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: failure() with: name: test_results_xml diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 537c01a657..08880a397b 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -23,7 +23,7 @@ jobs: steps: - name: "Check out code" - uses: actions/checkout@v4.1.1 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 with: persist-credentials: false @@ -34,7 +34,7 @@ jobs: gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' - name: "Run analysis" - uses: ossf/scorecard-action@v2.3.1 + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #v2.3.1 with: results_file: results.sarif results_format: sarif @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@v3.1.3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif @@ -57,7 +57,7 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3 with: sarif_file: results.sarif tools: codeql-bundle.tar.gz From 10bc5afb214eb3fa11f035625e27f5747561d55f Mon Sep 17 00:00:00 2001 From: Benjamen Meyer Date: Fri, 24 Nov 2023 20:48:21 -0500 Subject: [PATCH 5/5] Bug Fix: Use the right org/repo for the codeql-bundle --- .github/workflows/codeql.yml | 3 ++- .github/workflows/scorecards-analysis.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 93f69e69fe..8c2988ca8f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -28,8 +28,9 @@ jobs: - name: Download benchmark bundle env: GH_TOKEN: ${{ github.token }} + # download the latest version run: | - gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' + gh release download -R github/codeql-action --pattern 'codeql-bundle.tar.gz' # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml index 08880a397b..a09879717b 100644 --- a/.github/workflows/scorecards-analysis.yml +++ b/.github/workflows/scorecards-analysis.yml @@ -30,8 +30,9 @@ jobs: - name: Download benchmark bundle env: GH_TOKEN: ${{ github.token }} + # download the latest version run: | - gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' + gh release download -R github/codeql-action --pattern 'codeql-bundle.tar.gz' - name: "Run analysis" uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #v2.3.1