diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..27dac58 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +# Please do not attempt to edit this file without the direct consent from the DevOps team. This file is managed centrally. +# Contact @scott45 + +* @scott45 \ No newline at end of file diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml deleted file mode 100644 index 1ae15e5..0000000 --- a/.github/workflows/bench.yml +++ /dev/null @@ -1,43 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -name: Benchmark CI -env: - GITHUB_TOKEN: ${{ secrets.GH_WRITE_TOKEN }} - REPO_NAME: 'performance-benchmark' - PROCCESSOR_REPO_NAME: ${{ github.event.repository.name }} -on: - push: - branches: - - 'main' -jobs: - bench: - runs-on: ubuntu-latest - steps: - - name: Clone repo - run: | - git clone https://user:$GITHUB_TOKEN@github.com/${{ github.repository_owner }}/${{ env.REPO_NAME }} - cd ${{ env.REPO_NAME }} - git config --local user.email "action@github.com" - git config --local user.name "GitHub Action" - - name: Switch to temp branch - run: | - cd ${{ env.REPO_NAME }} - git checkout temp-holder - git pull - cat "${{ env.PROCCESSOR_REPO_NAME }}".csv >> "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp - git add "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp - git stash - git checkout main - git stash apply - - name: Write data - run: | - cd ${{ env.REPO_NAME }} - echo -n $'\n' >> "${{ env.PROCCESSOR_REPO_NAME }}".csv - cat "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp >> "${{ env.PROCCESSOR_REPO_NAME }}".csv - git reset "${{ env.PROCCESSOR_REPO_NAME }}".csv.tmp - git add "${{ env.PROCCESSOR_REPO_NAME }}".csv - git commit -m "#${{ github.event.number }} Pushed update of ${{ env.PROCCESSOR_REPO_NAME }}" - - name: push data - run: | - cd ${{ env.REPO_NAME }} - git push origin main \ No newline at end of file diff --git a/.github/workflows/codacy.yml b/.github/workflows/codacy.yml index 500f7d3..273f607 100644 --- a/.github/workflows/codacy.yml +++ b/.github/workflows/codacy.yml @@ -13,6 +13,8 @@ # For more information on Codacy Analysis CLI in general, see # https://github.com/codacy/codacy-analysis-cli. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Codacy Security Scan on: @@ -29,6 +31,7 @@ permissions: jobs: codacy-security-scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 88abae3..6212b29 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -11,6 +11,9 @@ # the `language` matrix defined below to confirm you have the correct set of # supported CodeQL languages. # + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: "CodeQL" on: @@ -24,6 +27,7 @@ on: jobs: analyze: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' name: Analyze runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml index 68efbd2..6aee786 100644 --- a/.github/workflows/conventional-commits.yml +++ b/.github/workflows/conventional-commits.yml @@ -7,6 +7,8 @@ # This GitHub Actions workflow validates the title of pull requests (PRs) to ensure they follow conventional commit standards. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: PR Conventional Commit Validation on: @@ -16,6 +18,7 @@ on: jobs: validate-pr-title: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - name: Checkout code diff --git a/.github/workflows/dco-check.yml b/.github/workflows/dco-check.yml index af42602..861c0ea 100644 --- a/.github/workflows/dco-check.yml +++ b/.github/workflows/dco-check.yml @@ -2,6 +2,8 @@ # This GitHub Actions workflow checks that all commits in a pull request (PR) have a "Signed-off-by" line to ensure Developer Certificate of Origin (DCO) compliance. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: DCO # Trigger the workflow on pull request events @@ -9,6 +11,7 @@ on: [pull_request] jobs: dco: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' # Define the runner environment runs-on: ubuntu-latest diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index b8a269e..577adb6 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -6,6 +6,10 @@ # # Source repository: https://github.com/actions/dependency-review-action # Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement + + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: 'Dependency Review' on: [pull_request] diff --git a/.github/workflows/dockerfile-linter.yml b/.github/workflows/dockerfile-linter.yml deleted file mode 100644 index 08d6525..0000000 --- a/.github/workflows/dockerfile-linter.yml +++ /dev/null @@ -1,49 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# hadoint is a Dockerfile linter written in Haskell -# that helps you build best practice Docker images. -# More details at https://github.com/hadolint/hadolint - -name: Hadolint - -on: - push: - branches: [ "dev", "main" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "dev" ] - schedule: - - cron: '17 13 * * 0' - -permissions: - contents: read - -jobs: - hadolint: - name: Run hadolint scanning - runs-on: ubuntu-latest - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run hadolint - uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183 - with: - dockerfile: ./Dockerfile - format: sarif - output-file: hadolint-results.sarif - no-fail: true - - - name: Upload analysis results to GitHub - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: hadolint-results.sarif - wait-for-processing: true \ No newline at end of file diff --git a/.github/workflows/dockerhub-image-build.yml b/.github/workflows/dockerhub-image-build.yml deleted file mode 100644 index 8211bfa..0000000 --- a/.github/workflows/dockerhub-image-build.yml +++ /dev/null @@ -1,60 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# GitHub recommends pinning actions to a commit SHA. -# To get a newer version, you will need to update the SHA. -# You can also reference a tag or branch, but the action may change without warning. - -name: Publish Docker image - -on: - release: - types: [published] - -jobs: - push_to_registry: - name: Push Docker image to Docker Hub - runs-on: ubuntu-latest - permissions: - packages: write - contents: read - attestations: write - id-token: write - steps: - - name: Check out the repo - uses: actions/checkout@v4 - - - name: Log in to Docker Hub - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 - with: - images: my-docker-hub-namespace/my-docker-hub-repository - - - name: Build and push Docker image - id: push - uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 - with: - context: . - file: ./Dockerfile - push: true - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v1 - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - diff --git a/.github/workflows/gpg-verify.yml b/.github/workflows/gpg-verify.yml index 9c0ab8f..56b6f3c 100644 --- a/.github/workflows/gpg-verify.yml +++ b/.github/workflows/gpg-verify.yml @@ -2,12 +2,15 @@ # This GitHub Actions workflow checks that all commits in a pull request (PR) have been verified with GPG signatures. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: GPG Verify on: [pull_request] # Trigger this workflow on pull request events jobs: gpg-verify: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - uses: actions/checkout@v4 # Checkout the repository code using the actions/checkout action diff --git a/.github/workflows/milestone.yml b/.github/workflows/milestone.yml index 7173e0f..8b5bb6a 100644 --- a/.github/workflows/milestone.yml +++ b/.github/workflows/milestone.yml @@ -2,6 +2,8 @@ # This GitHub Actions workflow is designed to close a milestone and trigger a release workflow. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Milestone Workflow # This workflow can be manually triggered with a specified milestone ID. @@ -15,6 +17,7 @@ on: jobs: close_milestone: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: diff --git a/.github/workflows/njsscan.yml b/.github/workflows/njsscan.yml index 255c0f7..d1bddf2 100644 --- a/.github/workflows/njsscan.yml +++ b/.github/workflows/njsscan.yml @@ -8,6 +8,8 @@ # This workflow integrates njsscan with GitHub's Code Scanning feature # nodejsscan is a static security code scanner that finds insecure code patterns in your Node.js applications +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: njsscan sarif on: @@ -24,6 +26,7 @@ permissions: jobs: njsscan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results diff --git a/.github/workflows/node.js.yml b/.github/workflows/node.js.yml index 5922eb5..373ddd2 100644 --- a/.github/workflows/node.js.yml +++ b/.github/workflows/node.js.yml @@ -3,6 +3,8 @@ # This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node # For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Node.js CI env: @@ -19,6 +21,7 @@ on: branches: [ "dev", "main" ] jobs: build: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest name: run build strategy: @@ -39,6 +42,7 @@ jobs: run: npm run build lint: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest name: check style strategy: @@ -60,6 +64,7 @@ jobs: run: npm run lint test: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest name: check tests strategy: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..b62fa6c --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,161 @@ +# SPDX-License-Identifier: Apache-2.0 + +name: Publish dev npm package to GitHub + +on: + push: + branches: + - 'dev' + paths-ignore: + - package.json + - package-lock.json + workflow_dispatch: + +jobs: + build-and-publish: + runs-on: ubuntu-latest + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN_LIB }} + permissions: + packages: write + contents: read + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Setup Node.js (.npmrc) + uses: actions/setup-node@v3 + with: + node-version: 16.x + registry-url: https://npm.pkg.github.com/ + # Defaults to the user or organization that owns the workflow file + scope: '@frmscoe' + + - name: Set up NPM authentication + run: | + echo "//npm.pkg.github.com/:_authToken=${{ secrets.GH_TOKEN_LIB }}" > ~/.npmrc + cat .npmrc + + - name: Configure Git + run: | + git config user.email ${{ secrets.GH_EMAIL }} + git config user.name ${{ secrets.GH_USERNAME }} + + - name: Version bumping + env: + GH_TOKEN: '${{ secrets.GH_TOKEN }}' + run: | + commit_message=$(git log -1 --pretty=%B) + echo "Commit message: $commit_message" + if [[ "$commit_message" == *'feat!:'* ]]; then + npm version major + elif [[ "$commit_message" == *"feat:"* ]]; then + npm version minor + else + npm version prerelease --preid=rc + fi + + - name: Install dependencies + run: npm ci + env: + GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + + - name: Build library + run: npm run build + + - name: Publish package + run: npm publish + env: + GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + NODE_AUTH_TOKEN: '${{ secrets.GITHUB_TOKEN }}' + + - name: Capture Version + id: capture_version + run: | + export version=$(jq -r '.version' package.json) + echo "VERSION=$version" >> $GITHUB_ENV + + - name: Push Changes in package.json and make PRs + run: | + export GH_USERNAME=${{ secrets.GH_USERNAME }} + export GH_TOKEN=${{ secrets.GH_TOKEN_LIB }} + git config --global user.name ${{ secrets.GH_USERNAME }} + + # Clear the GITHUB_TOKEN environment variable and use a temporary file for gh authentication + echo "${{ secrets.GH_TOKEN_LIB }}" > /tmp/gh_token + unset GITHUB_TOKEN + unset GH_TOKEN + gh auth login --with-token < /tmp/gh_token + + git clone https://${{ secrets.GH_USERNAME }}:${{ secrets.GH_TOKEN_LIB }}@github.com/${{ github.repository }}.git + REPO_NAME=$(basename -s .git https://github.com/${{ github.repository }}.git) + cd $REPO_NAME + echo "Currently in repository directory: $(pwd)" + + if git ls-remote --heads origin version-bump | grep version-bump; then + # Branch exists, pull the latest changes + git checkout version-bump + git pull origin version-bump + else + # Branch does not exist, create it + git checkout -b version-bump + fi + + git config --global user.email ${{ secrets.GH_EMAIL }} + git config --global user.name ${{ secrets.GH_USERNAME }} + + # print current version + sed -i 's/"version": "[^"]*"/"version": "'"${{ env.VERSION }}"'"/' package.json + cat package.json + git add . + git commit -m "chore: Bump version after publishing to Github NPM" || echo "No changes to commit" + git push origin version-bump || git push origin version-bump --force + + gh pr create --title "build: Automated PR; Bump version after publishing to Github NPM" --body "This pull request updates the version in the `package.json` and `package-lock.json` after the package was published." --base dev --head version-bump --assignee ${{ secrets.GH_USERNAME }} --label build || echo "PR already exists, updating existing PR" + PR_ID=$(gh pr view --json number -q ".number") + echo "PR_ID=$pr_id" >> $GITHUB_ENV + + # Cleanup + rm /tmp/gh_token + + # Send Slack Notification + - name: Send Slack Notification + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + run: | + # Fetch the PR ID from the environment + PR_ID=${{ env.PR_ID }} + + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New NPM GitHub package published :white_check_mark:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Pull Requests:*\n" + } + ] + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "Please head over to the github repository and merge the PR linked above to update the `package.json` with the newly published npm package." + } + } + ] + }' $SLACK_WEBHOOK_URL diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f5d0a21..c54ed3c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,7 @@ # SPDX-License-Identifier: Apache-2.0 +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Release Workflow on: @@ -11,6 +13,7 @@ on: jobs: release: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' runs-on: ubuntu-latest steps: # Checkout the main branch with all history @@ -228,30 +231,37 @@ jobs: draft: false prerelease: false - # Update the CHANGELOG.md file in the repository - - name: Update CHANGELOG.md + - name: Get Latest Release run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - CHANGELOG_CONTENTS=$(cat /home/runner/work/changelog.txt) - # Prepend the new changelog content to the existing CHANGELOG.md below SPDX-License-Identifier section - echo -e "$(head -n 2 CHANGELOG.md)\n\n## $NEW_VERSION\n\n$CHANGELOG_CONTENTS\n\n$(tail -n +3 CHANGELOG.md)" > CHANGELOG.md - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add CHANGELOG.md - git commit -m "chore: Update CHANGELOG.md for $NEW_VERSION" - git push origin HEAD:main + echo "LATEST_RELEASE=$(gh release list --limit 1 | awk '{print $1}')" >> $GITHUB_ENV + echo "The latest release tag is $LATEST_RELEASE" + + - name: Send Slack Notification env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # Update the VERSION file - - name: Update VERSION file + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} run: | - NEW_VERSION=${{ steps.bump_version.outputs.new_version }} - echo -e "# SPDX-License-Identifier: Apache-2.0\n\n$NEW_VERSION" > VERSION - git config --global user.name "github-actions[bot]" - git config --global user.email "github-actions[bot]@users.noreply.github.com" - git add VERSION - git commit -m "chore: Update VERSION to $NEW_VERSION" - git push origin HEAD:main - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + curl -X POST -H 'Content-type: application/json' --data '{ + "blocks": [ + { + "type": "header", + "text": { + "type": "plain_text", + "text": "New Release Alert :tazama:", + "emoji": true + } + }, + { + "type": "section", + "fields": [ + { + "type": "mrkdwn", + "text": "*Github Repository:*\nhttps://github.com/${{ github.repository }}" + }, + { + "type": "mrkdwn", + "text": "*Release:*\n" + } + ] + } + ] + }' ${{ secrets.SLACK_WEBHOOK_URL }} \ No newline at end of file diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml new file mode 100644 index 0000000..1abab3f --- /dev/null +++ b/.github/workflows/sbom.yml @@ -0,0 +1,44 @@ +# SPDX-License-Identifier: Apache-2.0 + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency +# submission API. + +# For more information on the Anchore sbom-action usage +# and parameters, see https://github.com/anchore/sbom-action. For more +# information about the Anchore SBOM tool, Syft, see +# https://github.com/anchore/syft + +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + +name: Anchore Syft SBOM scan + +on: + push: + branches: [ "main" ] + +permissions: + contents: write + +jobs: + Anchore-Build-Scan: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' + permissions: + contents: write # required to upload to the Dependency submission API + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v4 + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true diff --git a/.github/workflows/sync-workflows.yml b/.github/workflows/sync-workflows.yml index 22d4f22..3f9b0c8 100644 --- a/.github/workflows/sync-workflows.yml +++ b/.github/workflows/sync-workflows.yml @@ -2,16 +2,18 @@ # This GitHub Actions workflow syncs workflows from a central repository to other repositories when a pull request is merged. +# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally. + name: Sync Workflows on: pull_request: - types: [closed] # Trigger this workflow when a pull request is closed branches: [ "dev" ] # The branches below must be a subset of the branches above + workflow_dispatch: jobs: - sync: - if: github.event.pull_request.merged == true # Run this job only if the pull request was merged + Sync_All_Repos_Common_Workflows: + if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' && github.event.pull_request.merged == true runs-on: ubuntu-latest # Use the latest Ubuntu runner for the job steps: - name: Checkout Central Workflows Repo # Step to checkout the repository containing the central workflows @@ -47,7 +49,40 @@ jobs: - name: Sync Workflows to Other Repos # Step to sync workflows to other repositories env: - REPOS: ${{ vars.TARGET_REPOS }} # List of repositories to sync workflows to + REPOS: | # List of repositories to sync workflows to + rule-001 + rule-002 + rule-003 + rule-004 + rule-006 + rule-007 + rule-008 + rule-010 + rule-011 + rule-016 + rule-017 + rule-018 + rule-020 + rule-021 + rule-024 + rule-025 + rule-026 + rule-027 + rule-028 + rule-030 + rule-044 + rule-045 + rule-048 + rule-054 + rule-063 + rule-074 + rule-075 + rule-076 + rule-078 + rule-083 + rule-084 + rule-090 + rule-091 SPECIFIC_FILES: ${{ vars.SPECIFIC_FILES }} # List of specific files not to copy to certain repositories SPECIFIC_REPOS: ${{ vars.SPECIFIC_REPOS }} # List of specific repositories needing specific files not included PR_REVIEWERS: ${{ vars.PR_REVIEWERS }} # List of reviewers diff --git a/.github/workflows/terraform-security.yml b/.github/workflows/terraform-security.yml deleted file mode 100644 index 65edce6..0000000 --- a/.github/workflows/terraform-security.yml +++ /dev/null @@ -1,40 +0,0 @@ -# SPDX-License-Identifier: Apache-2.0 - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: tfsec - -on: - push: - branches: [ "dev", "main" ] - pull_request: - branches: [ "dev" ] - schedule: - - cron: '31 11 * * 1' - -jobs: - tfsec: - name: Run tfsec sarif report - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - steps: - - name: Clone repo - uses: actions/checkout@v4 - - - name: Run tfsec - uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608 - with: - sarif_file: tfsec.sarif - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - # Path to SARIF file relative to the root of the repository - sarif_file: tfsec.sarif