From abdfb4f97c371994bfd53509e5c44200cda1da9c Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 15:58:42 +0530 Subject: [PATCH 1/7] test --- .github/PULL_REQUEST_TEMPLATE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index a8e827b1..658965fe 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,3 +1,4 @@ + ## Description Please include a summary of the change, motivation and context. From b3fab3e7ed30d8332baf3a6442c27a00ccc646a8 Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 18:58:28 +0530 Subject: [PATCH 2/7] Adds dependabot --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..8332ef39 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" From 1193f592a06ccdf2e85a16d567bd01d3a72845ea Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 19:00:26 +0530 Subject: [PATCH 3/7] bug fix --- .github/PULL_REQUEST_TEMPLATE.md | 1 - .github/dependabot.yml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md index 658965fe..a8e827b1 100644 --- a/.github/PULL_REQUEST_TEMPLATE.md +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -1,4 +1,3 @@ - ## Description Please include a summary of the change, motivation and context. diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8332ef39..873c0176 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ version: 2 updates: - - package-ecosystem: "maven" + - package-ecosystem: "gradle" directory: "/" schedule: interval: "daily" From ba165f3512c37723dab3c6e8f9ef0b633db00c8d Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 19:04:32 +0530 Subject: [PATCH 4/7] wip --- .github/workflows/semgrep.yml | 47 +++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 .github/workflows/semgrep.yml diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..6d3d32a4 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,47 @@ +name: SecurityChecks +on: + pull_request: {} + push: +jobs: + semgrep: + name: Scan + runs-on: [self-hosted] + steps: + - uses: actions/checkout@v2 + - uses: returntocorp/semgrep-action@v1 + with: + publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} + publishDeployment: 339 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + workflow_status: + runs-on: [ self-hosted ] + name: Update Status Check + needs: [ semgrep ] + if: always() + env: + githubCommit: ${{ github.event.pull_request.head.sha }} + steps: + - name: Set github commit id + run: | + if [ "${{ github.event_name }}" = "push" ]; then + echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV + fi + exit 0 + - name: Failed + id: failed + if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') + run: | + echo 'Failing the workflow for github security status check.' + curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ + -d '{ "state" : "failure" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ + https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} + exit 1 + - name: Success + if: steps.failed.conclusion == 'skipped' + run: | + echo 'Status check has passed!' + curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ + -d '{ "state" : "success" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ + https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} + exit 0 \ No newline at end of file From 5aad1e59a0d25c8c5ee0b5289100c47fea81a0d5 Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 19:08:24 +0530 Subject: [PATCH 5/7] wip --- .github/workflows/semgrep.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 6d3d32a4..3063cbe6 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -2,6 +2,7 @@ name: SecurityChecks on: pull_request: {} push: + branches: ["rzp_main"] jobs: semgrep: name: Scan From 940b70abe13fd90cbf7a2cbaf38a2801ac6f7ff5 Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 23:27:41 +0530 Subject: [PATCH 6/7] wip --- .github/workflows/semgrep.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 3063cbe6..1bc5b41b 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,12 +1,15 @@ -name: SecurityChecks +name: Security Checks on: + workflow_dispatch: pull_request: {} push: branches: ["rzp_main"] + schedule: + - cron: '30 20 * * *' jobs: semgrep: name: Scan - runs-on: [self-hosted] + runs-on: [ubuntu-latest] #nosemgrep zklW steps: - uses: actions/checkout@v2 - uses: returntocorp/semgrep-action@v1 @@ -15,8 +18,9 @@ jobs: publishDeployment: 339 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + workflow_status: - runs-on: [ self-hosted ] + runs-on: [ ubuntu-latest ] #nosemgrep zklW name: Update Status Check needs: [ semgrep ] if: always() @@ -25,13 +29,13 @@ jobs: steps: - name: Set github commit id run: | - if [ "${{ github.event_name }}" = "push" ]; then + if [ "${{ github.event_name }}" = "push" ] || [ "${{ github.event_name }}" = "schedule" ]; then echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV fi exit 0 - name: Failed id: failed - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') + if: (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && github.ref != 'refs/heads/master' run: | echo 'Failing the workflow for github security status check.' curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ @@ -39,7 +43,7 @@ jobs: https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} exit 1 - name: Success - if: steps.failed.conclusion == 'skipped' + if: steps.failed.conclusion == 'skipped' || github.ref != 'refs/heads/master' run: | echo 'Status check has passed!' curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ From 095873a92a795300f95c69389af981ec01b16c7a Mon Sep 17 00:00:00 2001 From: Harnoor Singh Date: Tue, 23 Aug 2022 23:31:04 +0530 Subject: [PATCH 7/7] Changes interval of dependabot from daily to weekly --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 873c0176..9af0acf4 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,9 +3,9 @@ updates: - package-ecosystem: "gradle" directory: "/" schedule: - interval: "daily" + interval: "weekly" - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "daily" + interval: "weekly"