From 659b5c12ea3f26821094b3c7a2c4e38899ce3245 Mon Sep 17 00:00:00 2001 From: Djubz Date: Thu, 12 Jun 2025 07:55:05 +0200 Subject: [PATCH 1/5] Create generator-generic-ossf-slsa3-publish.yml Djubz - Patch Work 1 --- .../generator-generic-ossf-slsa3-publish.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 000000000000..35c829b139b5 --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release From 7fcfb68d1967cd4dd7906596eebab373e953b7b3 Mon Sep 17 00:00:00 2001 From: Djubz Date: Thu, 12 Jun 2025 13:46:31 +0000 Subject: [PATCH 2/5] Pending changes exported from your codespace --- .vscode/launch.json | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.vscode/launch.json b/.vscode/launch.json index e7265cc1f844..3a9248a08f42 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -1,6 +1,15 @@ { "version": "0.2.0", "configurations": [ + { + "name": "Launch Program", + "program": "${workspaceFolder}/app.js", + "request": "launch", + "skipFiles": [ + "/**" + ], + "type": "node" + }, { "type": "node", "request": "attach", From f1961c73690cf65109e70a186ec61aa1553230fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Djub=C3=A1h?= Date: Fri, 13 Jun 2025 06:47:20 +0200 Subject: [PATCH 3/5] Update moda-ci.yaml Upgrades --- .github/workflows/moda-ci.yaml | 1108 +++++++++++++++++++++++++++++++- 1 file changed, 1106 insertions(+), 2 deletions(-) diff --git a/.github/workflows/moda-ci.yaml b/.github/workflows/moda-ci.yaml index 43240c6dcdb3..eeee2beca7dd 100644 --- a/.github/workflows/moda-ci.yaml +++ b/.github/workflows/moda-ci.yaml @@ -1,10 +1,433 @@ -name: docs-internal Moda CI + - name: Deploy Amazon Redis DB cluster (ElastiCache) + # You may pin to the exact commit or the version. + # uses: bitovi/github-actions-deploy-redis-db@0d1c738e4d2bd074ca8fd35ec9ae968d5a5f5810 + uses: bitovi/github-actions-deploy-redis-db@v0 + with: + # Will run only the generation phase of BitOps, where the Terraform and Ansible code is built. + bitops_code_only: # optional + # Store BitOps code as a GitHub artifact + bitops_code_store: # optional + # AWS access key ID + aws_access_key_id: + # AWS secret access key + aws_secret_access_key: + # AWS session token + aws_session_token: # optional + # AWS default region + aws_default_region: # optional, default is us-east-1 + # Set to override the AWS resource identifier for the deployment. Defaults to `${org}-{repo}-{branch}`. Use with destroy to destroy specific resources. + aws_resource_identifier: # optional + # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` + aws_additional_tags: # optional + # Set to "true" to Destroy the stack through Terraform. + tf_stack_destroy: # optional + # Change this to be anything you want to. Carefull to be consistent here. A missing file could trigger recreation, or stepping over destruction of non-defined objects. + tf_state_file_name: # optional + # Append a string to the tf-state-file. Setting this to `unique` will generate `tf-state-aws-unique`. Can co-exist with the tf_state_file_name variable. + tf_state_file_name_append: # optional + # AWS S3 bucket to use for Terraform state. Defaults to `${org}-${repo}-{branch}-tf-state` + tf_state_bucket: # optional + # Force purge and deletion of S3 bucket defined. Any file contained there will be destroyed. `tf_stack_destroy` must also be `true` + tf_state_bucket_destroy: # optional + # Enables the creation of a Redis instance + aws_redis_enable: # optional, default is true + # Redis username. Defaults to redisuser + aws_redis_user: # optional + # String expression for user access. Defaults to on ~* +@all + aws_redis_user_access_string: # optional + # User group name. Defaults to aws_resource_identifier-redis + aws_redis_user_group_name: # optional + # Redis security group name. Defaults to SG for aws_resource_identifier - Redis + aws_redis_security_group_name: # optional + # Allow access from 0.0.0.0/0 in the same VPC + aws_redis_ingress_allow_all: # optional + # Comma separated list of security groups to be added to the Redis SG. + aws_redis_allowed_security_groups: # optional + # Define a list of specific subnets where Redis will live. Defaults to all of the VPC ones. If not defined, default VPC. + aws_redis_subnets: # optional + # Redis port. Defaults to 6379 + aws_redis_port: # optional + # Encryption at rest. Defaults to true. + aws_redis_at_rest_encryption: # optional + # In-transit encryption. Defaults to true. + aws_redis_in_transit_encryption: # optional + # Name of the Redis replication group. Defaults to aws_resource_identifier-redis + aws_redis_replication_group_id: # optional + # Node type of the Redis instance. Defaults to cache.t2.small + aws_redis_node_type: # optional + # Amount of Redis nodes. Defaults to 1 + aws_redis_num_cache_clusters: # optional + # Redis parameters groups name. If cluster wanted, set it to something that includes .cluster.on. Defaults to default.redis7 + aws_redis_parameter_group_name: # optional + # Number of node groups. Defaults to 0. + aws_redis_num_node_groups: # optional + # Number of replicas per node group. Defaults to 0 + aws_redis_replicas_per_node_group: # optional + # Enables multi-availability-zone redis. Defaults to false + aws_redis_multi_az_enabled: # optional + # Allows overriding the automatic configuration of this value, only needed when playing with resources in a non-conventional way. + aws_redis_automatic_failover: # optional + # Specifies whether any modifications are applied immediately, or during the next maintenance window. Default is false. + aws_redis_apply_immediately: # optional + # Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Defaults to true. + aws_redis_auto_minor_upgrade: # optional + # Specifies the weekly time range for when maintenance on the cache cluster is performed. Example:sun:05:00-sun:06:00. Defaults to null. + aws_redis_maintenance_window: # optional + # Daily time range (in UTC) when to start taking a daily snapshot. Minimum is a 60 minute period. Example: 05:00-09:00. Defaults to null. + aws_redis_snapshot_window: # optional + # Change name to define a final snapshot. + aws_redis_final_snapshot: # optional + # Set name to restore a snapshot to the cluster. The default behaviour is to restore it each time this action runs. + aws_redis_snapshot_restore_name: # optional + # Enable or disables Cloudwatch logging. + aws_redis_cloudwatch_enabled: # optional + # Cloudwatch log group name. Defaults to /aws/redis/aws_resource_identifier. Will append log_type to it. + aws_redis_cloudwatch_lg_name: # optional + # Define log format between json (default) and text. + aws_redis_cloudwatch_log_format: # optional + # Log type. Older Redis engines need slow-log. Newer support engine-log (default) + aws_redis_cloudwatch_log_type: # optional + # Number of days to retain logs. 0 to never expire. Default '14' + aws_redis_cloudwatch_retention_days: # optional + # Creates an AWS secret containing the connection string containing protocol://user@pass:endpoint:port + aws_redis_single_line_url_secret: # optional + # Additional tags to be added to every Redis related resource + aws_redis_additional_tags: # optional + # Define if a VPC should be created + aws_vpc_create: # optional + # Set a specific name for the VPC + aws_vpc_name: # optional + # Define Base CIDR block which is divided into subnet CIDR blocks. Defaults to 10.0.0.0/16. + aws_vpc_cidr_block: # optional + # Comma separated list of public subnets. Defaults to 10.10.110.0/24 + aws_vpc_public_subnets: # optional + # Comma separated list of private subnets. If none, none will be created. + aws_vpc_private_subnets: # optional + # Comma separated list of availability zones. Defaults to `aws_default_region. + aws_vpc_availability_zones: # optional + # AWS VPC ID. Accepts `vpc-###` values. + aws_vpc_id: # optional + # Specify a Subnet to be used with the instance. If none provided, will pick one. + aws_vpc_subnet_id: # optional + # Enables NAT gateway + aws_vpc_enable_nat_gateway: # optional + # Creates only one NAT gateway + aws_vpc_single_nat_gateway: # optional + # Comma separated list of IP IDS to reuse in the NAT gateways + aws_vpc_external_nat_ip_ids: # optional + # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` + aws_vpc_additional_tags: # optional + + - name: Load runner information + # You may pin to the exact commit or the version. + # uses: devops-actions/load-runner-info@7f8c07227aa6176e94e4eeb912016bb0a9d33796 + uses: devops-actions/load-runner-info@v1.0.10 + with: + # Slug of the organization to analyze. + organization: + # Slug of the repository to analyze. + repo: # optional + # Access token to use for analysis with either admin:org or repo owner if you run it against a repo + accessToken: + + - name: Docker Build Tag Publish to ECR + # You may pin to the exact commit or the version. + # uses: bitovi/github-actions-docker-ecr-publish@bcaf3fb11bafbc6ae884516e92f870ac11a5ae68 + uses: bitovi/github-actions-docker-ecr-publish@v0.1.0 + with: + # Checkout the repository + checkout: # optional, default is true + # Use action builtin login + aws_login: # optional, default is true + # AWS access key ID + aws_access_key_id: + # AWS secret access key + aws_secret_access_key: + # AWS session token + aws_session_token: # optional + # AWS default region + aws_default_region: # optional, default is us-east-1 + # AWS ECR repository name. e.g. hello-repository + aws_ecr_repo_name: + # Tag to override default Logic + image_tag: # optional, default is + # Use the SHA for the tag. Overrides the default logic. + use_sha: # optional + # Docker org name. + org_name: # optional, default is + # Tag default branch with latest tag instead of branch name. + use_latest: # optional, default is true + # Add a string of values to the end of the build command + build_args: # optional + # Specify the working directory that the docker build will be run in + working_directory: # optional + + - name: Azure Resource Manager (ARM) Template Deployment + # You may pin to the exact commit or the version. + # uses: whiteducksoftware/azure-arm-action@9bae2e95df87dbd4acae11deb0765be7256fd141 + uses: whiteducksoftware/azure-arm-action@v3.3 + with: + # Paste output of `az ad sp create-for-rbac -o json` as value of secret variable: AZURE_CREDENTIALS + creds: + # Provide the name of a resource group. + resourceGroupName: + # Specify the path to the Azure Resource Manager template. + templateLocation: + # Specifies the name of the resource group deployment to create. + deploymentName: + # Incremental (only add resources to resource group) or Complete (remove extra resources from resource group). + deploymentMode: # optional, default is Incremental + # Specify either path to the Azure Resource Manager parameters file or pass them as 'key1=value1;key2=value2;...'. + parameters: # optional + # Specify either path to the Azure Resource Manager override parameters file or pass them as 'key1=value1;key2=value2;...'. + overrideParameters: # optional + + - name: Use Depot + # You may pin to the exact commit or the version. + # uses: depot/use-action@90146d58d088d969746f73da293453f402eeee13 + uses: depot/use-action@v1.2.0 + with: + # Version of the Depot CLI to install. If unspecified or set to "latest", +the latest version for the target platform will be installed. Example: "0.0.2". + version: # optional, default is latest + # If set, will populate the `DEPOT_PROJECT_ID` environment variable. + project: # optional, default is + # If set, will populate the `DEPOT_TOKEN` environment variable. + token: # optional, default is + + - name: Setup Flowpipe + # You may pin to the exact commit or the version. + # uses: turbot/flowpipe-action-setup@cb25645f42ae071a051b83fcac8a6efe76462af8 + uses: turbot/flowpipe-action-setup@v1.0.0 + with: + # Flowpipe CLI version to install. Defaults to "latest". Examples: latest, 0.1.0, 0.2.2. + flowpipe-version: # optional, default is latest + # Flowpipe credentials to create. Accepts HCL format. + flowpipe-config: # optional + + - name: Set up fianu CLI + # You may pin to the exact commit or the version. + # uses: fianulabs/setup-fianu@af4888a37db3caa72ae5c76eacd510aac77490a0 + uses: fianulabs/setup-fianu@1.0.0 + with: + # Version or version constraint of the fianu CLI to install. If +unspecified, it will accept any installed version of the cli. If +set to "latest", it will download the latest available CLI. If set to a +version constraint, it will download the latest available version that +matches the constraint. Examples: "290.0.1" or ">= 197.0.1". + version: # optional, default is latest + + + - name: Montara CI + # You may pin to the exact commit or the version. + # uses: montara-io/montara-ci@eca5afc53f2e39c847d187e4bf43b1bef9e1056e + uses: montara-io/montara-ci@v1.0.20 + with: + # The URL of the webhook + webhookUrl: + # Whether to use smart run, defaults to true + isSmartRun: # optional, default is true + # The variables to pass to the test run, a stringified JSON object of key-value pairs. for example: {"var1": "value1", "var2": "value2"} + variables: # optional + # Whether to allow concurrent pipeline runs, defaults to true + allowConcurrentPipelineRuns: # optional, default is true + # The number of retries to attempt + numRetries: # optional, default is 60 + name: docs-internal Moda CI # More info on CI actions setup can be found here: # https://github.com/github/ops/blob/master/docs/playbooks/build-systems/moving-moda-apps-from-bp-to-actions.md on: - workflow_dispatch: + pull_request: + branches: + - main + +jobs: + my_job: + name: deploy to staging + runs-on: macos-12 + + - name: Install Dependencies + run: npm install + + + - name: Setup Node.js environment + uses: actions/setup-node@v3.9.1 + with: + # Set always-auth in npmrc. + always-auth: # optional, default is false + # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. + node-version: # optional + # File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions. + node-version-file: # optional + # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. + architecture: # optional + # Set this option if you want the action to check for the latest available version that satisfies the version spec. + check-latest: # optional + # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. + registry-url: # optional + # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). + scope: # optional + # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. + token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} + # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. + cache: # optional + # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. + cache-dependency-path: # optional + workflow_dispatch: + - name: Designite Incremental Code Quality Analysis + # You may pin to the exact commit or the version. + # uses: DesigniteTools/designite-incremental-analysis@c9ec3cf4d058aa09194f2285f3e8f299cfdfd66f + uses: DesigniteTools/designite-incremental-analysis@v2.1.0 + with: + # GitHub token created during workflow execution (Set to Read and Write) + github-token: + # Code quality analysis output folder name from previous commit + designite-output-old: + # Code quality analysis output folder name from current commit + designite-output-new: + # Repository name + repo-name: + # Tool used for code analysis (dj or dpy) + tool-name: + + - name: Velocity deploy action + # You may pin to the exact commit or the version. + # uses: codeclimate/velocity-deploy-action@1b4a22f0db113bf8d85c14fd726cf0ec6d17cd13 + uses: codeclimate/velocity-deploy-action@v1.0.0 + with: + # Your Velocity deployment token + token: + # The version tag for the deploy (i.e. `b123`) + version: # optional + # The environment of the deploy (i.e. `production`) + environment: # optional + + - name: Deploy Prometheus and Grafana + # You may pin to the exact commit or the version. + # uses: bitovi/github-actions-deploy-prometheus@4dcb7eb223c8957ab6ba16fc4766c8eb01ae3081 + uses: bitovi/github-actions-deploy-prometheus@v0 + with: + # Specifies if this action should checkout the code + checkout: # optional, default is true + # AWS access key ID + aws_access_key_id: # optional + # AWS secret access key + aws_secret_access_key: # optional + # AWS session token, if you are using temporary credentials + aws_session_token: # optional + # AWS default region + aws_default_region: # optional + # Auto-generated by default so it is unique for org/repo/branch. Set to override with custom naming the unique AWS resource identifier for the deployment. Defaults to `${org}-${repo}-${branch}`. + aws_resource_identifier: # optional + # A list of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` + aws_additional_tags: # optional + # Secret name to pull env variables from AWS Secret Manager, could be a comma separated list, read in order. Expected JSON content. + env_aws_secret: # optional + # File containing environment variables to be used with the app + env_repo: # optional + # `.env` file to be used with the app from Github secrets + env_ghs: # optional + # `.env` file to be used with the app from Github variables + env_ghv: # optional + # The AWS EC2 instance type + aws_ec2_instance_type: # optional, default is t3.medium + # The AWS IAM instance profile to use for the EC2 instance. Use if you want to pass an AWS role with specific permissions granted to the instance + aws_ec2_iam_instance_profile: # optional + # Creates a Secret in AWS secret manager to store a kypair + aws_ec2_create_keypair_sm: # optional + # Root disk size for the EC2 instance + aws_ec2_instance_root_vol_size: # optional, default is 10 + # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` + aws_ec2_additional_tags: # optional + # AMI filter to use when searching for an AMI to use for the EC2 instance. Defaults to `ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*` + aws_ec2_ami_filter: # optional, default is ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-* + # Path to the grafana datasource directory + grafana_datasource_dir: # optional, default is observability/grafana/datasources + # Path to the prometheus config file + prometheus_config: # optional, default is observability/prometheus/prometheus.yml + # How frequently to scrape targets by default in the Prometheus data-source. + grafana_scrape_interval: # optional + # How frequently to scrape targets by default + prometheus_scrape_interval: # optional, default is 15s + # When to remove old data. Defaults to 15d. + prometheus_retention_period: # optional, default is 15d + # Enable cadvisor container in docker-compose + cadvisor_enable: # optional + # Add cadvisor target + cadvisor_extra_targets: # optional + # Enable node-exporter container in docker-compose + node_exporter_enable: # optional + # Add node-exporter target + node_exporter_extra_targets: # optional + # + print_yaml_files: # optional + # Set to "true" to Destroy the created AWS infrastructure for this instance + tf_stack_destroy: # optional, default is false + # Change this to be anything you want to. Carefull to be consistent here. A missing file could trigger recreation, or stepping over destruction of non-defined objects. + tf_state_file_name: # optional + # Append a string to the tf-state-file. Setting this to `unique` will generate `tf-state-aws-unique`. Can co-exist with the tf_state_file_name variable. + tf_state_file_name_append: # optional + # AWS S3 bucket to use for Terraform state. Defaults to `${org}-${repo}-{branch}-tf-state-aws` + tf_state_bucket: # optional + # Force purge and deletion of S3 tf_state_bucket defined. Any file contained there will be destroyed. `tf_stack_destroy` must also be `true` + tf_state_bucket_destroy: # optional + # Define the root domain name for the application. e.g. app.com + aws_r53_domain_name: # optional + # Define the sub-domain part of the URL. Defaults to `${org}-${repo}-{branch}` + aws_r53_sub_domain_name: # optional + # Deploy to root domain. Will generate two DNS recrods, one for root, another for www + aws_r53_root_domain_deploy: # optional + # Makes the application use a certificate by enabling a certificate lookup. + aws_r53_enable_cert: # optional + # Define the certificate ARN to use for the application + aws_r53_cert_arn: # optional + # Generates and manage the root cert for the application + aws_r53_create_root_cert: # optional + # Generates and manage the sub-domain certificate for the application + aws_r53_create_sub_cert: # optional + # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` + aws_r53_additional_tags: # optional + # Define if a VPC should be created + aws_vpc_create: # optional + # Set a specific name for the VPC + aws_vpc_name: # optional + # Define Base CIDR block which is divided into subnet CIDR blocks. Defaults to 10.0.0.0/16. + aws_vpc_cidr_block: # optional + # Comma separated list of public subnets. Defaults to 10.10.110.0/24 + aws_vpc_public_subnets: # optional + # Comma separated list of private subnets. If none, none will be created. + aws_vpc_private_subnets: # optional + # Comma separated list of availability zones. Defaults to `aws_default_region. + aws_vpc_availability_zones: # optional + # AWS VPC ID. Accepts `vpc-###` values. + aws_vpc_id: # optional + # Specify a Subnet to be used with the instance. If none provided, will pick one. + aws_vpc_subnet_id: # optional + # Enables NAT gateway + aws_vpc_enable_nat_gateway: # optional + # Creates only one NAT gateway + aws_vpc_single_nat_gateway: # optional + # Comma separated list of IP IDS to reuse in the NAT gateways + aws_vpc_external_nat_ip_ids: # optional + # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` + aws_vpc_additional_tags: # optional + # Toggle cloudwatch creation for Docker containers. + docker_cloudwatch_enable: # optional, default is true + # Toggle deletion or not when destroying the stack. + docker_cloudwatch_skip_destroy: # optional + # Add a public IP to the instance or not. (Not an Elastic IP) + aws_ec2_instance_public_ip: # optional, default is true + # List of ports to be enabled as an ingress rule in the EC2 SG, in a [xx,yy] format - Not the ELB + aws_ec2_port_list: # optional + # Create a load balancer and map ports to the EC2 instance. + aws_elb_create: # optional, default is true + # Port to expose for the app + aws_elb_app_port: # optional + # Load balancer listening port. Defaults to 80 if NO FQDN provided, 443 if FQDN provided + aws_elb_listen_port: # optional, default is 3000,9090 + push: branches-ignore: - 'gh-readonly-queue/**' @@ -101,3 +524,684 @@ permissions: statuses: read id-token: write attestations: write + + - name: Upload a Build Artifact + uses: actions/upload-artifact@v4.6.2 + with: + # Artifact name + name: # optional, default is artifact + # A file, directory or wildcard pattern that describes what to upload + path: + # The desired behavior if no files are found using the provided path. +Available Options: + warn: Output a warning but do not fail the action + error: Fail the action with an error message + ignore: Do not output any warnings or errors, the action does not fail + + if-no-files-found: # optional, default is warn + # Duration after which artifact will expire in days. 0 means using default retention. +Minimum 1 day. Maximum 90 days unless changed from the repository settings page. + + retention-days: # optional + # The level of compression for Zlib to be applied to the artifact archive. The value can range from 0 to 9: - 0: No compression - 1: Best speed - 6: Default compression (same as GNU Gzip) - 9: Best compression Higher levels will result in better compression, but will take longer to complete. For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads. + + compression-level: # optional, default is 6 + # If true, an artifact with a matching name will be deleted before a new one is uploaded. If false, the action will fail if an artifact for the given name already exists. Does not fail if the artifact does not exist. + + overwrite: # optional, default is false + # If true, hidden files will be included in the artifact. If false, hidden files will be excluded from the artifact. + + include-hidden-files: # optional, default is false + + - name: Download a Build Artifact + uses: actions/download-artifact@v4.3.0 + with: + # Name of the artifact to download. If unspecified, all artifacts for the run are downloaded. + name: # optional + # IDs of the artifacts to download, comma-separated. Either inputs `artifact-ids` or `name` can be used, but not both. + artifact-ids: # optional + # Destination path. Supports basic tilde expansion. Defaults to $GITHUB_WORKSPACE + path: # optional + # A glob pattern matching the artifacts that should be downloaded. Ignored if name is specified. + pattern: # optional + # When multiple artifacts are matched, this changes the behavior of the destination directories. If true, the downloaded artifacts will be in the same directory specified by path. If false, the downloaded artifacts will be extracted into individual named directories within the specified path. + merge-multiple: # optional, default is false + # The GitHub token used to authenticate with the GitHub API. This is required when downloading artifacts from a different repository or from a different workflow run. If this is not specified, the action will attempt to download artifacts from the current repository and the current workflow run. + github-token: # optional + # The repository owner and the repository name joined together by "/". If github-token is specified, this is the repository that artifacts will be downloaded from. + repository: # optional, default is ${{ github.repository }} + # The id of the workflow run where the desired download artifact was uploaded from. If github-token is specified, this is the run that artifacts will be downloaded from. + run-id: # optional, default is ${{ github.run_id }} + + - name: Setup .NET Core SDK + uses: actions/setup-dotnet@v3.4.2 + with: + # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx + dotnet-version: # optional + # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. + dotnet-quality: # optional + # Optional global.json location, if your global.json isn't located in the root of the repo. + global-json-file: # optional + # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword + source-url: # optional + # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url + owner: # optional + # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. + config-file: # optional + # Optional input to enable caching of the NuGet global-packages folder + cache: # optional + # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. + cache-dependency-path: # optional + + - name: First interaction + uses: actions/first-interaction@v1.3.0 + with: + # Token for the repository. Can be passed in using {{ secrets.GITHUB_TOKEN }} + repo-token: + # Comment to post on an individual's first issue + issue-message: # optional + # Comment to post on an individual's first pull request + pr-message: # optional + + - name: New Relic JUnit Reporter + # You may pin to the exact commit or the version. + # uses: newrelic/junit-reporter-action@a225f3d3753f08921149ddd803040fe593c4ad5c + uses: newrelic/junit-reporter-action@v0.3.0 + with: + # Your New Relic Ingest License key. + ingestLicenseKey: + # Your New Relic account ID. Custom events representing your test run will be posted to this account. + accountId: + # The geographical region for your New Relic account - US or EU. Default: US + region: # optional, default is US + # The path to the JUnit output file. + testOutputPath: + # Any custom attributes to include in JSON format. + customAttributes: # optional + + - name: Codecov ATS + # You may pin to the exact commit or the version. + # uses: codecov/codecov-ats@d5a8e2d68e510a4ed2d0657bb9e9e8760a3f6ffc + uses: codecov/codecov-ats@v0.3.0 + with: + # Repository upload token - get it from codecov.io. Required + token: # optional + # Repository static token - get it from codecov.io. Required + static_token: + # Change the upload host (Enterprise use only) + enterprise_url: # optional + # File pattern to search for. Defaults to "*" + file_pattern: # optional + # Avoid certain folders when uploading static analysis + folders_to_exclude: # optional + # Force upload of files during static analysis regardless if they are new + force: # optional + # Max time (in seconds) to wait for the label analysis. Default is to wait forever. + label_max_wait_time: # optional + # Override the assumed OS. Options are linux | macos | windows. + os: # optional + # Variable to save down tests string. Defaults to CODECOV_ATS_TESTS + output_variable: # optional + # Override the assumed base commit. + override_base_commit: # optional + # Branch to which this commit belongs to + override_branch: # optional + # Commit SHA (with 40 chars) + override_commit: # optional + # SHA (with 40 chars) of what should be the parent of this commit + override_parent: # optional + # Specify the pull request number mannually. + override_pr: # optional + # owner/repo slug used instead of the private repo token in Self-hosted + override_slug: # optional + # Folders not to search during static analysis + static_folders_to_exclude: # optional + # Folder to search during static analysis + static_folder_to_search: # optional + # Force running of static analysis + static_force: # optional + # Number of processes to use during static analysis + static_number_processes: # optional + # File pattern to search for during static analysis + static_search_pattern: # optional + # Specify whether the Codecov output should be verbose + verbose: # optional + # Specify which version of the Codecov CLI should be used. Defaults to `latest` + version: # optional + + - name: SecureStack Application Composition Analysis + # You may pin to the exact commit or the version. + # uses: SecureStackCo/actions-code@c2c35840882d041474c505c1045da157025cd57e + uses: SecureStackCo/actions-code@v0.1.1 + with: + # SecureStack API key - generate an API key at https://app.securestack.com + securestack_api_key: + # SecureStack Application ID - can be retrieved by accessing required application at https://app.securestack.com + securestack_app_id: + # Severities lower than this value will be reported in the workflow console but will not cause an error for the action; value should be one of: critical | high | medium | low + severity: + # Severities lower than this value will be reported in the workflow console but will not cause an error for the action; value should be one of: critical | high | medium | low + language: + # Optional flags for the bloodhound-cli code command - run bloodhound cli code --help for more details + flags: # optional, default is + + - name: SonarQube Scan for C and C++ + # You may pin to the exact commit or the version. + # uses: SonarSource/sonarqube-github-c-cpp@e51317d858d1117fe6c451aa441841cb3e3ff358 + uses: SonarSource/sonarqube-github-c-cpp@v2.1.0 + with: + # Directory where the sonar-scanner and build wrapper will be installed. Created if does not exists. + installation-path: # optional, default is .sonar + # Controls if installed binaries are cached using GitHub cache. + cache-binaries: # optional, default is true + + - name: Xanitizer Security Analysis + # You may pin to the exact commit or the version. + # uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 + uses: RIGS-IT/xanitizer-action@v1.0.1 + with: + # String which is used as input for a Xanitizer license file. Note: It is recommended to use a GitHub secret to store the license file content like XANITIZER_LICENSE and access the content in the configuration via the GitHub secret parameter. Please see https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. Note: If the license is a floating license and a proxy server is used to access the license server, please specify the proxy server settings. If no settings are specified, the settings from the Xanitizer properties file will be used. + license: # optional + # Number of attempts to get a license token from the license server. Note: If the used Xanitizer license is a machine bound license, this parameter will be ignored. If the used Xanitizer license is a floating license it may happen that all tokens are in use or the connection to the license server is not available at startup. In such cases, no license token can be requested successfully from the license server to start Xanitizer and the headless process would terminate with a license error. When this parameter is set to a value greater than zero, Xanitizer attempts every minute to request a license token until the specified count has been reached. Setting this parameter to zero disables the repetition. + licenseServerRetryCount: # optional + # Relative path under $GITHUB_WORKSPACE where the project was checked out. Note: Please use the same value as for parameter `path` of the configured actions/checkout action (see https://github.com/actions/checkout#usage parameter `path`). + checkoutPath: # optional + # The output location of the overview report. This has to be either a list of files or the parameter has to be undefined or empty if no overview reports should be written. Allowed file extensions are: pdf, html, docx. + overviewReportOutputFile: # optional + # Comma separated list of output locations of the overview reports. This has to be either a list of files or the parameter has to be undefined or empty if no overview reports should be written. Allowed file extensions are: pdf, html, docx. + overviewReportOutputFiles: # optional + # The output location of the findings list report. This has to be either a list of files or the parameter has to be undefined or empty if no findings list reports should be written. Allowed file extensions are: pdf, html, docx, xml, csv, sarif. + findingsListReportOutputFile: # optional + # Comma separated list of output locations of the findings list reports. This has to be either a list of files or the parameter has to be undefined or empty if no findings list reports should be written. Allowed file extensions are: pdf, html, docx, xml, csv, sarif. Note: If no report file has been secified, i.e., neither an overview report nor a findings list report, both a Xanitizer-Findings-List.pdf and a Xanitizer-Findings-List.sarif report will be generated in the checkout directory specified by $GITHUB_WORKSPACE with the optional relative parameter `checkoutPath` as default. + findingsListReportOutputFiles: # optional + # Boolean flag specifying if only findings with problem classifications are written to the findings list report. + onlyProblemsInFindingsListReport: # optional, default is true + # Boolean flag specifying if all the details of a finding are written to the findings list report, e.g. if the output contains all steps of a path. Note: Only relevant if the file extension of the parameter `findingsListReportOutputFile` is xml, html, or sarif. + generateDetailsInFindingsListReport: # optional, default is true + # The path to the Xanitizer configuration file of the project that should be analyzed. Either this parameter or the parameter `rootDirectory` may be specified, but not both. Note: If neither the parameter `configFile` nor the parameter `rootDirectory` has been specified, the parameter `rootDirectory` is set to the checkout directory specified by $GITHUB_WORKSPACE with the optional relative parameter `checkoutPath`. + configFile: # optional + # The root directory, to be used for default set-ups. Either this parameter or the parameter `configFile` may be specified, but not both. Note: If neither the parameter `configFile` nor the parameter `rootDirectory` has been specified, the parameter `rootDirectory` is set to the checkout directory specified by $GITHUB_WORKSPACE with the optional relative parameter `checkoutPath`. + rootDirectory: # optional + # The project name that should be used. Only relevant if the parameter `rootDirectory` is specified. If not given, the simple name of the root directory is used. + projectName: # optional + # The directory where to put the generated configuration file. Only relevant if the parameter `rootDirectory` is specified. If not given, the configuration file is generated in the `rootDirectory`. + configFileDirectory: # optional + # Boolean flag specifying if an existing config file is to be overwritten. Only relevant if the parameter `rootDirectory` is specified. + overwriteConfigFile: # optional + # Boolean flag specifying whether Xanitizer uses NodeJS to compile Angular and TypeScript projects to JavaScript code itself or not. This could be a potential risk if someone has manipulated the external ng or the tsc script. If the code is already compiled to JavaScript, best with a source map, this option can be set to `false` true - enables the compilation of Angular and TypeScript code to JavaScript by Xanitizer itself false - disables the compilation of Angular and TypeScript code to JavaScript by Xanitizer itself and some Xanitizer workspace information will be generated if Angular or Typescript files are found in the project not set - if this option is not set and Angular or Typescript files are found in the project, a Xanitizer workspace error will be generated + compileToJavaScript: # optional, default is true + # Boolean flag specifying if npm audit should be executed. The npm audit APIs can be used to report on known vulnerable node.js libraries. This requires an Internet connection and so has to be allowed explicitly. This is only relevant for NodeJS projects. + performNodeAudit: # optional, default is true + # Boolean flag specifying whether the task should fail if there are search paths configured that do not exist. + haltOnMissingSearchPaths: # optional + # A comma - separated list of issue groups that will let the task fail if for any of them, a Xanitizer error issue occurs. Possible values are ALL_ERRORS, WORKSPACE_ERRORS, CALL_GRAPH_ERRORS, ANALYSIS_ERRORS, MIGRATION_ERRORS. If the value is not set, this means that issues are not relevant for the success of the task. + haltOnIssues: # optional + # Boolean flag specifying whether the task should fail if there are findings with a rating equal or higher than the value defined for `findingsRatingThreshold`. + haltOnFindings: # optional + # A rating value. Only used if the parameter `haltOnFindings` is set. + findingsRatingThreshold: # optional + # Boolean flag specifying whether the OWASP Dependency Check repository should be updated or not. Note: The OWASP Dependency Check is based on vulnerability data stored in a local repository. It is recommended to update the local OWASP Dependency Check repository on a regular basis via remote access to the National Vulnerability Database (NIST). If a proxy server is used to access the internet, please specify the proxy server settings otherwise the settings from the Xanitizer properties file will be used. + updateOwaspDependencyCheckRepository: # optional + # The logging level to be used when running Xanitizer. Values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL. + logLevel: # optional + # Xanitizer`s project data directory, if it is not the default one in /.Xanitizer. + projectDataDirectory: # optional + # Boolean flag specifying whether the task should fail if there are * NEW * findings with a rating equal or higher than the value defined for `newFindingsRating`. + haltOnNewFindings: # optional + # A rating value. Only used if the parameter `haltOnNewFindings` is set. + newFindingsRatingThreshold: # optional + # Optional path to the local Maven repository. Note: If no settings are specified, the settings from the Xanitizer properties file will be used. + mavenRepository: # optional + # Boolean flag specifying whether a snapshot should be created after parsing and analyzing the current version or not. + createSnapshot: # optional + # Optional comment added to the newly created snapshot. Only relevant if the parameter `createSnapshot` is true. + snapshotComment: # optional + # The output directory of the project export. Note: If the parameter is undefined or an empty string, the project is not exported. + exportDirectory: # optional + # Boolean flag specifying if snapshots should be exported or not. The parameter is only used if an export directory is set. If the parameter is not set or empty, no snapshots are exported. + exportSnapshots: # optional + # The passphrase for the project export. The parameter is only used if an export directory is set. If the parameter is not set or empty, the exported project is not encrypted. Note: It is recommended to use a GitHub secret to store the export like XANITIZER_EXPORT_PASSPHRASE and access the content in the configuration via the GitHub secret parameter. Please see https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. + exportPassphrase: # optional + # The path to an exported Xanitizer project archive file. If specified, this project is merged into the current project. This means that all more recent user adaptations, findings and issues are migrated into the current project. + mergedProject: # optional + # The passphrase for the merged project. The parameter is only necessary if the parameter `mergedProject` is set and the merged project is encrypted. Note: It is recommended to use a GitHub secret to store the export passphrase like XANITIZER_EXPORT_PASSPHRASE. and access the content in the configuration via the GitHub secret parameter. Please see https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. + importPassphrase: # optional + # Optional proxy server to access the internet to update the OWASP Dependency Check repository or to request a license token from the public license server in case of a floating license via a proxy. Note: If no settings are specified, the settings from the Xanitizer properties file will be used. + proxyServer: # optional + # Optional proxy server port. + proxyPort: # optional + # Optional proxy server user name. + proxyUser: # optional + # Optional proxy server user password. + proxyPassword: # optional + + - name: DPy Action + # You may pin to the exact commit or the version. + # uses: DesigniteTools/DPyAction@bd057fd8668aa20541e302397df77d9c50cca2b4 + uses: DesigniteTools/DPyAction@v1.1.2 + with: + # Personal access token + PAT: # optional, default is No PAT provided + # Designite license key - optional + D_KEY: # optional, default is No key + # Operating System of the runner to choose the appropriate DPy binary + OS: # optional, default is linux + # Branch to analyze - optional + BRANCH: # optional, default is main + # Output format - optional + FORMAT: # optional, default is csv + + - name: gha-ci-issues + # You may pin to the exact commit or the version. + # uses: Mergifyio/gha-mergify-ci@668bd8fd12563b7816b51f69ad8a13652925ac55 + uses: Mergifyio/gha-mergify-ci@v6 + with: + # Mergify CI token + token: + # Path of the files to upload + report_path: + # URL of the Mergify API + mergify_api_url: # optional, default is https://api.mergify.com + + - name: SecureStack All-In-One GitHub Action + # You may pin to the exact commit or the version. + # uses: SecureStackCo/actions-all-in-one@96dc79a3c4081a8333040c6bf84b0c528ccb1eb9 + uses: SecureStackCo/actions-all-in-one@v0.1.2 + with: + # SecureStack API key - generate an API key at https://app.securestack.com + securestack_api_key: + # SecureStack Application ID - can be retrieved by accessing required application at https://app.securestack.com + securestack_app_id: + # Severities lower than this value will be reported in the workflow console but will not cause an error for the action; value should be one of: critical | high | medium | low + severity: + + - name: github-action-auto-format + # You may pin to the exact commit or the version. + # uses: cloudposse/github-action-auto-format@970af4c15a720047204400fe5b5ae52fb2991e9b + uses: cloudposse/github-action-auto-format@v0.12.0 + with: + # The path on the github-runner where the auto-format action scripts are checked out at runtime + actions-files-checkout-path: # optional, default is github-action-auto-format + # GitHub username for writing new commits + bot-name: # optional, default is cloudpossebot + # Email address associated with the GitHub user for writing new commits + bot-email: # optional + # Name of formatting task to execute. (Options include: readme, github, terraform, and context.) + format-task: + # GitHub Token for use in `github_format.sh` and PR creation steps. This token must be granted `workflows` permissions. + workflow-token: + + - name: run-noteable-notebook + # You may pin to the exact commit or the version. + # uses: noteable-io/run-notebook@48a4734efb67d7df9aa6f51d9dbeb4a0871065c9 + uses: noteable-io/run-notebook@v3 + with: + # Path to notebook with extension that should be executed + notebook: # optional, default is + # Path to parameters file with extension, contents should be json + params: # optional, default is {} + # If True, will hide inputs in notebook + isReport: # optional + # If True, this will pool output every 15 seconds and displays, this is useful in cases where there is long running cells and user wants to see output after going to the page, since github actions does not show streaming from the beginning, this is a hack to get around it + poll: # optional + # Used to set the logging level for the papermill process. + loggingLeveL: # optional, default is INFO + + - name: Convert 3D files directory with KittyCAD + # You may pin to the exact commit or the version. + # uses: KittyCAD/action-convert-directory@94f695ed3d7206d1a5f065eb9166ef318b68a3a6 + uses: KittyCAD/action-convert-directory@v0.0.2 + with: + # KittyCAD API TOKEN, generated at https://kittycad.io/account + kittycad-token: + # folder containing files to be converted, allowed files are dae, fbx, obj, step and stl + input-directory: + # folder where converted files will be put + output-directory: + # options are dae, fbx, fbxb, obj, step and stl + conversion-type: + + - name: Jscrambler + # You may pin to the exact commit or the version. + # uses: jscrambler/code-integrity-actions@b8a30020d7b82d02a2fa110c815d62c74184fb9c + uses: jscrambler/code-integrity-actions@v6.4.19 + + - name: Nullify DAST Action + # You may pin to the exact commit or the version. + # uses: Nullify-Platform/dast-action@f9d0b5cfdb743f189bd8f6134ab0322f3304ebce + uses: Nullify-Platform/dast-action@v0.0.1 + with: + # Name of the application to be tested + app-name: + # Absolute directory of the API specification to be tested + spec-path: + # Target host endpoint of the application to be tested + target-host: + # Space-separated arguments to include (e.g. -d, -v for debug and verbose modes) + base-args: # optional, default is -v + # Name of the GitHub repository + github-repository: # optional, default is ${{ github.repository }} + # GitHub API token which will be exchanged for a Nullify token + github-token: # optional, default is ${{ github.token }} + # Header to include in authorization request + header: # optional + # Nullify API host e.g. api.nullify.ai + nullify-host: # optional, default is api.nullify.ai + # Nullify CLI version to be used + nullify-version: # optional, default is 0.0.0 + + - name: Pachyderm Pipeline Updater + # You may pin to the exact commit or the version. + # uses: pachyderm/pachyderm-actions@69c4694668a732392b203fab5b8dbdc14b8a097c + uses: pachyderm/pachyderm-actions@0.0.1 + + - name: Preview Environments + # You may pin to the exact commit or the version. + # uses: UffizziCloud/preview-action@6f946b7c6d38a24e28a134e6f833783dfaaaf782 + uses: UffizziCloud/preview-action@v2.6.1 + with: + # An alternate compose file + compose-file: # optional, default is docker-compose.yaml + # URL to Uffizzi + server: # default is https://app.uffizzi.com + # Uffizzi username + username: # optional + # Uffizzi password + password: # optional + # Uffizzi project slug + project: # optional + # Username to authenticate to GHCR + ghcr-username: # optional + # Password to authenticate to GHCR + ghcr-access-token: # optional + # Value of `github.event.number` context + github-event-number: # optional + # Value of `github.ref` context + github-ref: # optional + # Value of `github.repository` context + github-repository: # optional + # + request-token: # optional + # + request-token-url: # optional + # + dockerhub-username: # optional + # + dockerhub-password: # optional + # Azure username + acr-username: # optional + # Azure password + acr-password: # optional + # Azure registry url + acr-registry-url: # optional + # Amazon Web Services access key id + aws-access-key-id: # optional + # Amazon Web Services secret access key + aws-secret-access-key: # optional + # Amazon Web Services registry url + aws-registry-url: # optional + # Google Cloud service key + gcloud-service-key: # optional + # Custom docker registry username + docker-registry-username: # optional + # Custom docker registry password + docker-registry-password: # optional + # Custom docker registry url + docker-registry-url: # optional + + - name: Prevasio Container Security + # You may pin to the exact commit or the version. + # uses: algosec/prevasio-cicd-container-security-action@7e1676e311785a9e0062f8ad066960a231820106 + uses: algosec/prevasio-cicd-container-security-action@v1.0.4 + + - name: GPG signing with Software Trust Manager + # You may pin to the exact commit or the version. + # uses: digicert/ssm-gpg-signing@37c73cbe57ae318dfb9d4a71a1db16a040a9a6ff + uses: digicert/ssm-gpg-signing@v0.0.2 + + - name: Nx affected dependencies action + # You may pin to the exact commit or the version. + # uses: leanix/nx-affected-dependencies-action@e49b2332a95c083c3f6ae3838d39289d89f7c582 + uses: leanix/nx-affected-dependencies-action@v0.2.1 + with: + # The name of the project whose affected dependencies you want to lint/test etc.. + project: + # The angular CLI target you want to execute, e.g. 'lint' or 'test'. + target: + # The base reference to be used for the affected evaluation. + base: # optional + # The head reference to be used for the affected evaluation. + head: # optional + # Set to 'true' for this action to automatically compare the merge commit to the previous one on develop/master and to use origin/develop as base when running on a feature branch. + gitflow: # optional + # The runner of the command. Used to leverage nx cache. + runner: # optional + + - name: Terraform Apply for GorillaStack + # You may pin to the exact commit or the version. + # uses: SWO-GS/github-action-apply-on-merge@71fab58db0a839b1e9b34e87601a5e4347c52c88 + uses: SWO-GS/github-action-apply-on-merge@v0.1.0 + with: + # The action type (currently "validate" and "apply" are available) + action: # default is validate + # The name of the tfstate bucket stack + stack_name: # default is github-actions-gorillastack-tfstate + # The region in which you deployed the tfstate bucket stack + aws_default_region: # default is us-east-1 + # The AWS Access Key Id for the user with privileges to access the tfstate bucket + aws_access_key_id: # default is defaulted-for-everything-but-apply + # The AWS Secret Access Key for the user with privileges to access the tfstate bucket + aws_secret_access_key: # default is defaulted-for-everything-but-apply + # GorillaStack API Key, which is read-write or read-only, tied to your user identity + gorillastack_api_key: # default is defaulted-for-everything-but-apply + # GorillaStack Team Id, sets context of which team/tenant you are targeting + gorillastack_team_id: # default is defaulted-for-everything-but-apply + + - name: Armory Continuous Deployment-as-a-Service + # You may pin to the exact commit or the version. + # uses: armory/cli-deploy-action@36fc96b3e295e960d22f96513ef781bb9865a87c + uses: armory/cli-deploy-action@v1.0.0 + with: + # Path to the configuration YAML file used to configure your deployment + path-to-file: + # extra args to the deployment start command + applicationName: # optional + # extra context params to the deployment start command + addContext: # optional + # ClientId for Armory Cloud + clientId: + # ClientSecret for Armory Cloud + clientSecret: + # Intended audience of requests that will use your Armory Cloud authentication token. Is deployHostUrl by default + audience: # optional, default is https://api.cloud.armory.io + # Armory Cloud authentication provider url + tokenIssuerUrl: # optional, default is https://auth.cloud.armory.io/oauth + # Location of the Armory Cloud API which will handle your deployment + deployHostUrl: # optional, default is api.cloud.armory.io + + - name: Nitric CLI - Automated Cloud Deployment + # You may pin to the exact commit or the version. + # uses: nitrictech/actions@eb63ad6dd85ccc71e5f24bf225bd8e030ca0fff9 + uses: nitrictech/actions@v1.0.3 + with: + # Version of the Nitric CLI to install, or "latest" (default). This accepts semver ranges like 1.33.0. + version: # default is latest + # Token used to query nitric versions + github-token: # default is ${{ github.token }} + # Nitric command to run, eg. up or down + command: # optional + # Working directory containing Nitric stack + working-directory: # optional + # Which stack you want to deploy, eg. dev + stack-name: # optional + + - name: Instrument pipeline + # You may pin to the exact commit or the version. + # uses: autometrics-dev/instrument-pipeline@142e4e6cbc109bb37c705daa856b6462689b3ef8 + uses: autometrics-dev/instrument-pipeline@v0.1.0 + with: + # URL to the aggregation gateway, for example `http://localhost:9091` + pushgateway: + # Type of the aggregation gateway, one of `prometheus`, `gravel`, or `zapier`. Currently only changes the url format in case of prometheus + gatewaytype: # optional + # Comma separated list of buckets for duration histogram, with or without the brackets [] + buckets: # optional + + - name: Honeycomb Buildevents + # You may pin to the exact commit or the version. + # uses: honeycombio/gha-buildevents@e5d529f2a2a3eea1605786749c78cbb3122c46b5 + uses: honeycombio/gha-buildevents@v3.1.0 + with: + # A Honeycomb API key - needed to send traces. + apikey: + # Defaults to https://api.honeycomb.io + apihost: # optional, default is https://api.honeycomb.io + # The Honeycomb dataset to send traces to. + dataset: + # Status of the job or worfklow. Setting this signals when to end the trace. + status: # optional + # Unix timestamp to represent when the trace started. Not necessary for single job workflows. Send in final use of the action for multi-job workflows. + trace-start: # optional + # Set this to a key unique for this matrix cell, only useful when using a build matrix. + matrix-key: # optional + # Deprecated value - please use status instead + job-status: # optional + # (true/false) Whether to send an event representing the setup of this action. + send-init-event: # optional, default is true + # If true, generate the trace ID as a 128-bit hex string compatible with OpenTelemetry by MD5 hashing the existing predictable trace ID. + otel-traceid: # optional, default is false + + - name: Autometrics Report + # You may pin to the exact commit or the version. + # uses: autometrics-dev/diff-metrics@778b3281f8446790af0afd766d5bb236defb5dde + uses: autometrics-dev/diff-metrics@v2.1.0 + with: + # Github token to use + gh-token: + # The list of rust project roots to check. One path per line + rs-roots: # optional + # The list of typescript project roots to check. One path per line + ts-roots: # optional + # The list of golang project roots to check. One path per line + go-roots: # optional + # The list of python project roots to check. One path per line + py-roots: # optional + # The number of days to keep the artifacts for. Defaults to 0 (inherits the policy from the repository) + retention-days: # optional, default is 0 + # The version of am to download, skip patch or minor to act as a wildcard. "0.2" means ">=0.2.0 && <0.3.0", "1" means ">=1.0.0 && <2.0.0", etc. + am-version: # optional + + - name: gitStream repo agent + # You may pin to the exact commit or the version. + # uses: linear-b/gitstream-github-action@c58c35dbe6d26a8f78365f5b30b2948e7eba39e4 + uses: linear-b/gitstream-github-action@v2 + with: + # Path of full Repository + full_repository: + # Head Branch Ref to checkout to + head_ref: + # Base Branch Ref to checkout to + base_ref: + # The client payload + client_payload: + # The github app installation id + installation_id: # optional + # Resolver url to send results to + resolver_url: + # Optional token for resolver + resolver_token: # optional + # Run parser in debug mode + debug_mode: # optional, default is false + + - name: Scheduled Milestones + # You may pin to the exact commit or the version. + # uses: readmeio/scheduled-milestones@0e87deaf0083675156111def24b8a29a97aa6fb1 + uses: readmeio/scheduled-milestones@v1.0.0 + with: + # GitHub authentication token + token: + # A prefix for your scheduled milestone title. + title: # default is Up for Review + # A comma-separated list of the days of the upcoming week that you want milestones for. + days: + # Options for `Date.toLocaleDateString()`. See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toLocaleDateString for details. + date_options: # optional + + - name: Teamwork GitHub Sync + # You may pin to the exact commit or the version. + # uses: Teamwork/github-sync@42dcac69eb5a41fad0d518efeb6aecf1e45f8d01 + uses: Teamwork/github-sync@v1.3.3 + with: + # GitHub token + GITHUB_TOKEN: + # Teamwork URI + TEAMWORK_URI: + # Teamwork API token + TEAMWORK_API_TOKEN: + # Do you want to enable automatic tagging: true/false + AUTOMATIC_TAGGING: # optional + # The case-sensitive column name of the column you would like the task to be moved to once the PR has been opened + BOARD_COLUMN_OPENED: # optional, default is + # The case-sensitive column name of the column you would like the task to be moved to once the PR has been merged + BOARD_COLUMN_MERGED: # optional, default is + # The case-sensitive column name of the column you would like the task to be moved to if the PR was closed without being merged + BOARD_COLUMN_CLOSED: # optional, default is + + - name: 42Crunch API Conformance Scan + # You may pin to the exact commit or the version. + # uses: 42Crunch/cicd-github-actions@e2c9a02bb391932aee6ef994de06ff2c7aae9ff6 + uses: 42Crunch/cicd-github-actions@v1 + with: + # API token to access 42Crunch Platform. Check https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm for details + api-token: + # 42Crunch platform URL + platform-url: # optional, default is https://platform.42crunch.com + # Path to JSON report from audit step + audit-report-path: + # List of API UUIDs to use + api-ids: # optional + # Path to save sarif report, add 'Convert to sarif' stage + convert-to-sarif: # optional + # Add 'Upload sarif' and 'Convert to sarif' stage + upload-sarif: # optional + # Add 'Check sqg' stage + check-sqg: # optional + # GitHub token for uploading results to Github Code Scanning + github-token: # optional, default is ${{ github.token }} + + - name: Cloudlist Action + # You may pin to the exact commit or the version. + # uses: projectdiscovery/cloudlist-action@8875fc8f49349c412d5d5f2e5fcb685041e9f8bf + uses: projectdiscovery/cloudlist-action@v1.0.1 + with: + # Providers config file to use + config: + # File to save output result + output: # optional, default is cloudlist.log + # Format to save of output file + json: # optional + # Additional cloudlist CLI flags to use + flags: # optional + + - name: Rational Integration Tester GitHub Action + # You may pin to the exact commit or the version. + # uses: IBM/devopsauto-integrtest-actions@5096cad49a7c728d0de5931481f5567254c70a70 + uses: IBM/devopsauto-integrtest-actions@v1 + with: + # The fully qualified path to Rational Integration Tester project directory. This value will be ignored if parameterFile field is used. + projectDir: + # The name of the API test project. This value will be ignored if parameterFile field is used. + projectName: + # The API Test environment to use for this execution. This value will be ignored if parameterFile field is used. + environment: + # Semicolon separated list of tests/suites to run. This value will be ignored if parameterFile field is used. + tests: + # The fully qualified path to a parameter file that contains project, environment, and run arguments for one or more tests. + parameterFile: # optional + # Specify the folder to export the JUnit reports to. + junitDir: # optional + + + + + From 0e14fbb20ee23c317e7be178159db31a81773343 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Djub=C3=A1h?= Date: Fri, 13 Jun 2025 06:55:54 +0200 Subject: [PATCH 4/5] Update moda-ci.yaml Improvements --- .github/workflows/moda-ci.yaml | 1291 +++----------------------------- 1 file changed, 102 insertions(+), 1189 deletions(-) diff --git a/.github/workflows/moda-ci.yaml b/.github/workflows/moda-ci.yaml index eeee2beca7dd..a509fc98cf5c 100644 --- a/.github/workflows/moda-ci.yaml +++ b/.github/workflows/moda-ci.yaml @@ -1,1207 +1,120 @@ - - name: Deploy Amazon Redis DB cluster (ElastiCache) - # You may pin to the exact commit or the version. - # uses: bitovi/github-actions-deploy-redis-db@0d1c738e4d2bd074ca8fd35ec9ae968d5a5f5810 - uses: bitovi/github-actions-deploy-redis-db@v0 - with: - # Will run only the generation phase of BitOps, where the Terraform and Ansible code is built. - bitops_code_only: # optional - # Store BitOps code as a GitHub artifact - bitops_code_store: # optional - # AWS access key ID - aws_access_key_id: - # AWS secret access key - aws_secret_access_key: - # AWS session token - aws_session_token: # optional - # AWS default region - aws_default_region: # optional, default is us-east-1 - # Set to override the AWS resource identifier for the deployment. Defaults to `${org}-{repo}-{branch}`. Use with destroy to destroy specific resources. - aws_resource_identifier: # optional - # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` - aws_additional_tags: # optional - # Set to "true" to Destroy the stack through Terraform. - tf_stack_destroy: # optional - # Change this to be anything you want to. Carefull to be consistent here. A missing file could trigger recreation, or stepping over destruction of non-defined objects. - tf_state_file_name: # optional - # Append a string to the tf-state-file. Setting this to `unique` will generate `tf-state-aws-unique`. Can co-exist with the tf_state_file_name variable. - tf_state_file_name_append: # optional - # AWS S3 bucket to use for Terraform state. Defaults to `${org}-${repo}-{branch}-tf-state` - tf_state_bucket: # optional - # Force purge and deletion of S3 bucket defined. Any file contained there will be destroyed. `tf_stack_destroy` must also be `true` - tf_state_bucket_destroy: # optional - # Enables the creation of a Redis instance - aws_redis_enable: # optional, default is true - # Redis username. Defaults to redisuser - aws_redis_user: # optional - # String expression for user access. Defaults to on ~* +@all - aws_redis_user_access_string: # optional - # User group name. Defaults to aws_resource_identifier-redis - aws_redis_user_group_name: # optional - # Redis security group name. Defaults to SG for aws_resource_identifier - Redis - aws_redis_security_group_name: # optional - # Allow access from 0.0.0.0/0 in the same VPC - aws_redis_ingress_allow_all: # optional - # Comma separated list of security groups to be added to the Redis SG. - aws_redis_allowed_security_groups: # optional - # Define a list of specific subnets where Redis will live. Defaults to all of the VPC ones. If not defined, default VPC. - aws_redis_subnets: # optional - # Redis port. Defaults to 6379 - aws_redis_port: # optional - # Encryption at rest. Defaults to true. - aws_redis_at_rest_encryption: # optional - # In-transit encryption. Defaults to true. - aws_redis_in_transit_encryption: # optional - # Name of the Redis replication group. Defaults to aws_resource_identifier-redis - aws_redis_replication_group_id: # optional - # Node type of the Redis instance. Defaults to cache.t2.small - aws_redis_node_type: # optional - # Amount of Redis nodes. Defaults to 1 - aws_redis_num_cache_clusters: # optional - # Redis parameters groups name. If cluster wanted, set it to something that includes .cluster.on. Defaults to default.redis7 - aws_redis_parameter_group_name: # optional - # Number of node groups. Defaults to 0. - aws_redis_num_node_groups: # optional - # Number of replicas per node group. Defaults to 0 - aws_redis_replicas_per_node_group: # optional - # Enables multi-availability-zone redis. Defaults to false - aws_redis_multi_az_enabled: # optional - # Allows overriding the automatic configuration of this value, only needed when playing with resources in a non-conventional way. - aws_redis_automatic_failover: # optional - # Specifies whether any modifications are applied immediately, or during the next maintenance window. Default is false. - aws_redis_apply_immediately: # optional - # Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window. Defaults to true. - aws_redis_auto_minor_upgrade: # optional - # Specifies the weekly time range for when maintenance on the cache cluster is performed. Example:sun:05:00-sun:06:00. Defaults to null. - aws_redis_maintenance_window: # optional - # Daily time range (in UTC) when to start taking a daily snapshot. Minimum is a 60 minute period. Example: 05:00-09:00. Defaults to null. - aws_redis_snapshot_window: # optional - # Change name to define a final snapshot. - aws_redis_final_snapshot: # optional - # Set name to restore a snapshot to the cluster. The default behaviour is to restore it each time this action runs. - aws_redis_snapshot_restore_name: # optional - # Enable or disables Cloudwatch logging. - aws_redis_cloudwatch_enabled: # optional - # Cloudwatch log group name. Defaults to /aws/redis/aws_resource_identifier. Will append log_type to it. - aws_redis_cloudwatch_lg_name: # optional - # Define log format between json (default) and text. - aws_redis_cloudwatch_log_format: # optional - # Log type. Older Redis engines need slow-log. Newer support engine-log (default) - aws_redis_cloudwatch_log_type: # optional - # Number of days to retain logs. 0 to never expire. Default '14' - aws_redis_cloudwatch_retention_days: # optional - # Creates an AWS secret containing the connection string containing protocol://user@pass:endpoint:port - aws_redis_single_line_url_secret: # optional - # Additional tags to be added to every Redis related resource - aws_redis_additional_tags: # optional - # Define if a VPC should be created - aws_vpc_create: # optional - # Set a specific name for the VPC - aws_vpc_name: # optional - # Define Base CIDR block which is divided into subnet CIDR blocks. Defaults to 10.0.0.0/16. - aws_vpc_cidr_block: # optional - # Comma separated list of public subnets. Defaults to 10.10.110.0/24 - aws_vpc_public_subnets: # optional - # Comma separated list of private subnets. If none, none will be created. - aws_vpc_private_subnets: # optional - # Comma separated list of availability zones. Defaults to `aws_default_region. - aws_vpc_availability_zones: # optional - # AWS VPC ID. Accepts `vpc-###` values. - aws_vpc_id: # optional - # Specify a Subnet to be used with the instance. If none provided, will pick one. - aws_vpc_subnet_id: # optional - # Enables NAT gateway - aws_vpc_enable_nat_gateway: # optional - # Creates only one NAT gateway - aws_vpc_single_nat_gateway: # optional - # Comma separated list of IP IDS to reuse in the NAT gateways - aws_vpc_external_nat_ip_ids: # optional - # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` - aws_vpc_additional_tags: # optional +# moda-ci.yaml +# CI pipeline for deploying, testing, and analyzing the docs project. +# Contact @Djubz for workflow questions. +# This workflow uses AWS, Docker, Azure, and various code quality/security analysis actions. - - name: Load runner information - # You may pin to the exact commit or the version. - # uses: devops-actions/load-runner-info@7f8c07227aa6176e94e4eeb912016bb0a9d33796 - uses: devops-actions/load-runner-info@v1.0.10 - with: - # Slug of the organization to analyze. - organization: - # Slug of the repository to analyze. - repo: # optional - # Access token to use for analysis with either admin:org or repo owner if you run it against a repo - accessToken: - - - name: Docker Build Tag Publish to ECR - # You may pin to the exact commit or the version. - # uses: bitovi/github-actions-docker-ecr-publish@bcaf3fb11bafbc6ae884516e92f870ac11a5ae68 - uses: bitovi/github-actions-docker-ecr-publish@v0.1.0 - with: - # Checkout the repository - checkout: # optional, default is true - # Use action builtin login - aws_login: # optional, default is true - # AWS access key ID - aws_access_key_id: - # AWS secret access key - aws_secret_access_key: - # AWS session token - aws_session_token: # optional - # AWS default region - aws_default_region: # optional, default is us-east-1 - # AWS ECR repository name. e.g. hello-repository - aws_ecr_repo_name: - # Tag to override default Logic - image_tag: # optional, default is - # Use the SHA for the tag. Overrides the default logic. - use_sha: # optional - # Docker org name. - org_name: # optional, default is - # Tag default branch with latest tag instead of branch name. - use_latest: # optional, default is true - # Add a string of values to the end of the build command - build_args: # optional - # Specify the working directory that the docker build will be run in - working_directory: # optional - - - name: Azure Resource Manager (ARM) Template Deployment - # You may pin to the exact commit or the version. - # uses: whiteducksoftware/azure-arm-action@9bae2e95df87dbd4acae11deb0765be7256fd141 - uses: whiteducksoftware/azure-arm-action@v3.3 - with: - # Paste output of `az ad sp create-for-rbac -o json` as value of secret variable: AZURE_CREDENTIALS - creds: - # Provide the name of a resource group. - resourceGroupName: - # Specify the path to the Azure Resource Manager template. - templateLocation: - # Specifies the name of the resource group deployment to create. - deploymentName: - # Incremental (only add resources to resource group) or Complete (remove extra resources from resource group). - deploymentMode: # optional, default is Incremental - # Specify either path to the Azure Resource Manager parameters file or pass them as 'key1=value1;key2=value2;...'. - parameters: # optional - # Specify either path to the Azure Resource Manager override parameters file or pass them as 'key1=value1;key2=value2;...'. - overrideParameters: # optional - - - name: Use Depot - # You may pin to the exact commit or the version. - # uses: depot/use-action@90146d58d088d969746f73da293453f402eeee13 - uses: depot/use-action@v1.2.0 - with: - # Version of the Depot CLI to install. If unspecified or set to "latest", -the latest version for the target platform will be installed. Example: "0.0.2". - version: # optional, default is latest - # If set, will populate the `DEPOT_PROJECT_ID` environment variable. - project: # optional, default is - # If set, will populate the `DEPOT_TOKEN` environment variable. - token: # optional, default is - - - name: Setup Flowpipe - # You may pin to the exact commit or the version. - # uses: turbot/flowpipe-action-setup@cb25645f42ae071a051b83fcac8a6efe76462af8 - uses: turbot/flowpipe-action-setup@v1.0.0 - with: - # Flowpipe CLI version to install. Defaults to "latest". Examples: latest, 0.1.0, 0.2.2. - flowpipe-version: # optional, default is latest - # Flowpipe credentials to create. Accepts HCL format. - flowpipe-config: # optional - - - name: Set up fianu CLI - # You may pin to the exact commit or the version. - # uses: fianulabs/setup-fianu@af4888a37db3caa72ae5c76eacd510aac77490a0 - uses: fianulabs/setup-fianu@1.0.0 - with: - # Version or version constraint of the fianu CLI to install. If -unspecified, it will accept any installed version of the cli. If -set to "latest", it will download the latest available CLI. If set to a -version constraint, it will download the latest available version that -matches the constraint. Examples: "290.0.1" or ">= 197.0.1". - version: # optional, default is latest - - - - name: Montara CI - # You may pin to the exact commit or the version. - # uses: montara-io/montara-ci@eca5afc53f2e39c847d187e4bf43b1bef9e1056e - uses: montara-io/montara-ci@v1.0.20 - with: - # The URL of the webhook - webhookUrl: - # Whether to use smart run, defaults to true - isSmartRun: # optional, default is true - # The variables to pass to the test run, a stringified JSON object of key-value pairs. for example: {"var1": "value1", "var2": "value2"} - variables: # optional - # Whether to allow concurrent pipeline runs, defaults to true - allowConcurrentPipelineRuns: # optional, default is true - # The number of retries to attempt - numRetries: # optional, default is 60 - name: docs-internal Moda CI - -# More info on CI actions setup can be found here: -# https://github.com/github/ops/blob/master/docs/playbooks/build-systems/moving-moda-apps-from-bp-to-actions.md +name: docs-internal Moda CI on: pull_request: branches: - - main - -jobs: - my_job: - name: deploy to staging - runs-on: macos-12 - - - name: Install Dependencies - run: npm install - - - - name: Setup Node.js environment - uses: actions/setup-node@v3.9.1 - with: - # Set always-auth in npmrc. - always-auth: # optional, default is false - # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. - node-version: # optional - # File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions. - node-version-file: # optional - # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. - architecture: # optional - # Set this option if you want the action to check for the latest available version that satisfies the version spec. - check-latest: # optional - # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. - registry-url: # optional - # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). - scope: # optional - # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. - token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} - # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. - cache: # optional - # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. - cache-dependency-path: # optional - workflow_dispatch: - - name: Designite Incremental Code Quality Analysis - # You may pin to the exact commit or the version. - # uses: DesigniteTools/designite-incremental-analysis@c9ec3cf4d058aa09194f2285f3e8f299cfdfd66f - uses: DesigniteTools/designite-incremental-analysis@v2.1.0 - with: - # GitHub token created during workflow execution (Set to Read and Write) - github-token: - # Code quality analysis output folder name from previous commit - designite-output-old: - # Code quality analysis output folder name from current commit - designite-output-new: - # Repository name - repo-name: - # Tool used for code analysis (dj or dpy) - tool-name: - - - name: Velocity deploy action - # You may pin to the exact commit or the version. - # uses: codeclimate/velocity-deploy-action@1b4a22f0db113bf8d85c14fd726cf0ec6d17cd13 - uses: codeclimate/velocity-deploy-action@v1.0.0 - with: - # Your Velocity deployment token - token: - # The version tag for the deploy (i.e. `b123`) - version: # optional - # The environment of the deploy (i.e. `production`) - environment: # optional - - - name: Deploy Prometheus and Grafana - # You may pin to the exact commit or the version. - # uses: bitovi/github-actions-deploy-prometheus@4dcb7eb223c8957ab6ba16fc4766c8eb01ae3081 - uses: bitovi/github-actions-deploy-prometheus@v0 - with: - # Specifies if this action should checkout the code - checkout: # optional, default is true - # AWS access key ID - aws_access_key_id: # optional - # AWS secret access key - aws_secret_access_key: # optional - # AWS session token, if you are using temporary credentials - aws_session_token: # optional - # AWS default region - aws_default_region: # optional - # Auto-generated by default so it is unique for org/repo/branch. Set to override with custom naming the unique AWS resource identifier for the deployment. Defaults to `${org}-${repo}-${branch}`. - aws_resource_identifier: # optional - # A list of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` - aws_additional_tags: # optional - # Secret name to pull env variables from AWS Secret Manager, could be a comma separated list, read in order. Expected JSON content. - env_aws_secret: # optional - # File containing environment variables to be used with the app - env_repo: # optional - # `.env` file to be used with the app from Github secrets - env_ghs: # optional - # `.env` file to be used with the app from Github variables - env_ghv: # optional - # The AWS EC2 instance type - aws_ec2_instance_type: # optional, default is t3.medium - # The AWS IAM instance profile to use for the EC2 instance. Use if you want to pass an AWS role with specific permissions granted to the instance - aws_ec2_iam_instance_profile: # optional - # Creates a Secret in AWS secret manager to store a kypair - aws_ec2_create_keypair_sm: # optional - # Root disk size for the EC2 instance - aws_ec2_instance_root_vol_size: # optional, default is 10 - # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` - aws_ec2_additional_tags: # optional - # AMI filter to use when searching for an AMI to use for the EC2 instance. Defaults to `ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*` - aws_ec2_ami_filter: # optional, default is ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-* - # Path to the grafana datasource directory - grafana_datasource_dir: # optional, default is observability/grafana/datasources - # Path to the prometheus config file - prometheus_config: # optional, default is observability/prometheus/prometheus.yml - # How frequently to scrape targets by default in the Prometheus data-source. - grafana_scrape_interval: # optional - # How frequently to scrape targets by default - prometheus_scrape_interval: # optional, default is 15s - # When to remove old data. Defaults to 15d. - prometheus_retention_period: # optional, default is 15d - # Enable cadvisor container in docker-compose - cadvisor_enable: # optional - # Add cadvisor target - cadvisor_extra_targets: # optional - # Enable node-exporter container in docker-compose - node_exporter_enable: # optional - # Add node-exporter target - node_exporter_extra_targets: # optional - # - print_yaml_files: # optional - # Set to "true" to Destroy the created AWS infrastructure for this instance - tf_stack_destroy: # optional, default is false - # Change this to be anything you want to. Carefull to be consistent here. A missing file could trigger recreation, or stepping over destruction of non-defined objects. - tf_state_file_name: # optional - # Append a string to the tf-state-file. Setting this to `unique` will generate `tf-state-aws-unique`. Can co-exist with the tf_state_file_name variable. - tf_state_file_name_append: # optional - # AWS S3 bucket to use for Terraform state. Defaults to `${org}-${repo}-{branch}-tf-state-aws` - tf_state_bucket: # optional - # Force purge and deletion of S3 tf_state_bucket defined. Any file contained there will be destroyed. `tf_stack_destroy` must also be `true` - tf_state_bucket_destroy: # optional - # Define the root domain name for the application. e.g. app.com - aws_r53_domain_name: # optional - # Define the sub-domain part of the URL. Defaults to `${org}-${repo}-{branch}` - aws_r53_sub_domain_name: # optional - # Deploy to root domain. Will generate two DNS recrods, one for root, another for www - aws_r53_root_domain_deploy: # optional - # Makes the application use a certificate by enabling a certificate lookup. - aws_r53_enable_cert: # optional - # Define the certificate ARN to use for the application - aws_r53_cert_arn: # optional - # Generates and manage the root cert for the application - aws_r53_create_root_cert: # optional - # Generates and manage the sub-domain certificate for the application - aws_r53_create_sub_cert: # optional - # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` - aws_r53_additional_tags: # optional - # Define if a VPC should be created - aws_vpc_create: # optional - # Set a specific name for the VPC - aws_vpc_name: # optional - # Define Base CIDR block which is divided into subnet CIDR blocks. Defaults to 10.0.0.0/16. - aws_vpc_cidr_block: # optional - # Comma separated list of public subnets. Defaults to 10.10.110.0/24 - aws_vpc_public_subnets: # optional - # Comma separated list of private subnets. If none, none will be created. - aws_vpc_private_subnets: # optional - # Comma separated list of availability zones. Defaults to `aws_default_region. - aws_vpc_availability_zones: # optional - # AWS VPC ID. Accepts `vpc-###` values. - aws_vpc_id: # optional - # Specify a Subnet to be used with the instance. If none provided, will pick one. - aws_vpc_subnet_id: # optional - # Enables NAT gateway - aws_vpc_enable_nat_gateway: # optional - # Creates only one NAT gateway - aws_vpc_single_nat_gateway: # optional - # Comma separated list of IP IDS to reuse in the NAT gateways - aws_vpc_external_nat_ip_ids: # optional - # A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}` - aws_vpc_additional_tags: # optional - # Toggle cloudwatch creation for Docker containers. - docker_cloudwatch_enable: # optional, default is true - # Toggle deletion or not when destroying the stack. - docker_cloudwatch_skip_destroy: # optional - # Add a public IP to the instance or not. (Not an Elastic IP) - aws_ec2_instance_public_ip: # optional, default is true - # List of ports to be enabled as an ingress rule in the EC2 SG, in a [xx,yy] format - Not the ELB - aws_ec2_port_list: # optional - # Create a load balancer and map ports to the EC2 instance. - aws_elb_create: # optional, default is true - # Port to expose for the app - aws_elb_app_port: # optional - # Load balancer listening port. Defaults to 80 if NO FQDN provided, 443 if FQDN provided - aws_elb_listen_port: # optional, default is 3000,9090 - + - main push: branches-ignore: - 'gh-readonly-queue/**' - merge_group: - types: [checks_requested] + workflow_dispatch: + +permissions: + contents: read + actions: read + # Add others only if required (e.g., id-token, attestations) jobs: - ########################## - # Generate Vault keys - ########################## - set-vault-keys: + deploy-aws-redis: + name: Deploy Amazon Redis DB cluster (ElastiCache) runs-on: ubuntu-latest - outputs: - modified_vault_keys: ${{ steps.modify_vault_keys.outputs.modified }} steps: - - name: Set vault-keys output - id: modify_vault_keys - run: | - if [ -z "${{ vars.VAULT_KEYS }}" ]; then - # We want to add the DOCS_BOT_PAT_BASE to the list of keys - # so that builds fetch the secret from the docs-internal vault - # where --environment is "ci" - echo "modified=DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT - else - echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_BASE" >> $GITHUB_OUTPUT - fi - - ############# - # Moda jobs - ############# - moda-config-bundle: - if: ${{ github.repository == 'github/docs-internal' }} - name: ${{ matrix.ci_job.job }} - needs: set-vault-keys - strategy: - fail-fast: false - matrix: - ci_job: [{ 'job': 'docs-internal-moda-config-bundle' }] - uses: github/internal-actions/.github/workflows/moda.yml@main - with: - ci-formatted-job-name: ${{ matrix.ci_job.job }} - vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - secrets: - dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} - datadog-api-key: ${{ secrets.DATADOG_API_KEY }} - - ############# - # Docker Image jobs - ############# - docker-image: - if: ${{ github.repository == 'github/docs-internal' }} - name: ${{ matrix.ci_job.job }} - needs: set-vault-keys - strategy: - fail-fast: false - matrix: - ci_job: [{ 'job': 'docs-internal-docker-image' }] - uses: github/internal-actions/.github/workflows/kube.yml@main - with: - ci-formatted-job-name: ${{ matrix.ci_job.job }} - vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src= - attest: true - docker-build-env-secrets: 'DOCS_BOT_PAT_BASE' - secrets: - dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} - datadog-api-key: ${{ secrets.DATADOG_API_KEY }} - - ############# - # Docker Security jobs - ############# - docker-security: - if: ${{ github.repository == 'github/docs-internal' }} - name: ${{ matrix.ci_job.job }} - needs: set-vault-keys + - name: Checkout code + uses: actions/checkout@v4 + + - name: Deploy Redis with Bitovi Action + uses: bitovi/github-actions-deploy-redis-db@v0 # Pin to latest stable tag + with: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + # aws_default_region: us-east-1 # Uncomment to override default region + # aws_redis_user: redisuser # Using default, omit if not overriding + # aws_redis_port: 6379 # Using default, omit if not overriding + # aws_redis_multi_az_enabled: false # Enable for HA in production + # tf_stack_destroy: # Leave blank to avoid accidental deletions + # Add other parameters only as needed, and document why + + build-and-test: + name: Build, Test, and Analyze (Node.js) + runs-on: ubuntu-latest strategy: - fail-fast: false matrix: - ci_job: [{ 'job': 'docs-internal-docker-security' }] - uses: github/internal-actions/.github/workflows/docker_security.yml@main - with: - ci-formatted-job-name: ${{ matrix.ci_job.job }} - vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} - # Passes 'DOCS_BOT_PAT_BASE' secret from Vault to docker as --secret id=DOCS_BOT_PAT_BASE,src= - docker-build-env-secrets: 'DOCS_BOT_PAT_BASE' - secrets: - dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} - datadog-api-key: ${{ secrets.DATADOG_API_KEY }} - -permissions: - actions: read - checks: read - contents: read - statuses: read - id-token: write - attestations: write - - - name: Upload a Build Artifact - uses: actions/upload-artifact@v4.6.2 - with: - # Artifact name - name: # optional, default is artifact - # A file, directory or wildcard pattern that describes what to upload - path: - # The desired behavior if no files are found using the provided path. -Available Options: - warn: Output a warning but do not fail the action - error: Fail the action with an error message - ignore: Do not output any warnings or errors, the action does not fail - - if-no-files-found: # optional, default is warn - # Duration after which artifact will expire in days. 0 means using default retention. -Minimum 1 day. Maximum 90 days unless changed from the repository settings page. - - retention-days: # optional - # The level of compression for Zlib to be applied to the artifact archive. The value can range from 0 to 9: - 0: No compression - 1: Best speed - 6: Default compression (same as GNU Gzip) - 9: Best compression Higher levels will result in better compression, but will take longer to complete. For large files that are not easily compressed, a value of 0 is recommended for significantly faster uploads. - - compression-level: # optional, default is 6 - # If true, an artifact with a matching name will be deleted before a new one is uploaded. If false, the action will fail if an artifact for the given name already exists. Does not fail if the artifact does not exist. - - overwrite: # optional, default is false - # If true, hidden files will be included in the artifact. If false, hidden files will be excluded from the artifact. - - include-hidden-files: # optional, default is false - - - name: Download a Build Artifact - uses: actions/download-artifact@v4.3.0 - with: - # Name of the artifact to download. If unspecified, all artifacts for the run are downloaded. - name: # optional - # IDs of the artifacts to download, comma-separated. Either inputs `artifact-ids` or `name` can be used, but not both. - artifact-ids: # optional - # Destination path. Supports basic tilde expansion. Defaults to $GITHUB_WORKSPACE - path: # optional - # A glob pattern matching the artifacts that should be downloaded. Ignored if name is specified. - pattern: # optional - # When multiple artifacts are matched, this changes the behavior of the destination directories. If true, the downloaded artifacts will be in the same directory specified by path. If false, the downloaded artifacts will be extracted into individual named directories within the specified path. - merge-multiple: # optional, default is false - # The GitHub token used to authenticate with the GitHub API. This is required when downloading artifacts from a different repository or from a different workflow run. If this is not specified, the action will attempt to download artifacts from the current repository and the current workflow run. - github-token: # optional - # The repository owner and the repository name joined together by "/". If github-token is specified, this is the repository that artifacts will be downloaded from. - repository: # optional, default is ${{ github.repository }} - # The id of the workflow run where the desired download artifact was uploaded from. If github-token is specified, this is the run that artifacts will be downloaded from. - run-id: # optional, default is ${{ github.run_id }} - - - name: Setup .NET Core SDK - uses: actions/setup-dotnet@v3.4.2 - with: - # Optional SDK version(s) to use. If not provided, will install global.json version when available. Examples: 2.2.104, 3.1, 3.1.x, 3.x, 6.0.2xx - dotnet-version: # optional - # Optional quality of the build. The possible values are: daily, signed, validated, preview, ga. - dotnet-quality: # optional - # Optional global.json location, if your global.json isn't located in the root of the repo. - global-json-file: # optional - # Optional package source for which to set up authentication. Will consult any existing NuGet.config in the root of the repo and provide a temporary NuGet.config using the NUGET_AUTH_TOKEN environment variable as a ClearTextPassword - source-url: # optional - # Optional OWNER for using packages from GitHub Package Registry organizations/users other than the current repository's owner. Only used if a GPR URL is also provided in source-url - owner: # optional - # Optional NuGet.config location, if your NuGet.config isn't located in the root of the repo. - config-file: # optional - # Optional input to enable caching of the NuGet global-packages folder - cache: # optional - # Used to specify the path to a dependency file: packages.lock.json. Supports wildcards or a list of file names for caching multiple dependencies. - cache-dependency-path: # optional - - - name: First interaction - uses: actions/first-interaction@v1.3.0 - with: - # Token for the repository. Can be passed in using {{ secrets.GITHUB_TOKEN }} - repo-token: - # Comment to post on an individual's first issue - issue-message: # optional - # Comment to post on an individual's first pull request - pr-message: # optional - - - name: New Relic JUnit Reporter - # You may pin to the exact commit or the version. - # uses: newrelic/junit-reporter-action@a225f3d3753f08921149ddd803040fe593c4ad5c - uses: newrelic/junit-reporter-action@v0.3.0 - with: - # Your New Relic Ingest License key. - ingestLicenseKey: - # Your New Relic account ID. Custom events representing your test run will be posted to this account. - accountId: - # The geographical region for your New Relic account - US or EU. Default: US - region: # optional, default is US - # The path to the JUnit output file. - testOutputPath: - # Any custom attributes to include in JSON format. - customAttributes: # optional - - - name: Codecov ATS - # You may pin to the exact commit or the version. - # uses: codecov/codecov-ats@d5a8e2d68e510a4ed2d0657bb9e9e8760a3f6ffc - uses: codecov/codecov-ats@v0.3.0 - with: - # Repository upload token - get it from codecov.io. Required - token: # optional - # Repository static token - get it from codecov.io. Required - static_token: - # Change the upload host (Enterprise use only) - enterprise_url: # optional - # File pattern to search for. Defaults to "*" - file_pattern: # optional - # Avoid certain folders when uploading static analysis - folders_to_exclude: # optional - # Force upload of files during static analysis regardless if they are new - force: # optional - # Max time (in seconds) to wait for the label analysis. Default is to wait forever. - label_max_wait_time: # optional - # Override the assumed OS. Options are linux | macos | windows. - os: # optional - # Variable to save down tests string. Defaults to CODECOV_ATS_TESTS - output_variable: # optional - # Override the assumed base commit. - override_base_commit: # optional - # Branch to which this commit belongs to - override_branch: # optional - # Commit SHA (with 40 chars) - override_commit: # optional - # SHA (with 40 chars) of what should be the parent of this commit - override_parent: # optional - # Specify the pull request number mannually. - override_pr: # optional - # owner/repo slug used instead of the private repo token in Self-hosted - override_slug: # optional - # Folders not to search during static analysis - static_folders_to_exclude: # optional - # Folder to search during static analysis - static_folder_to_search: # optional - # Force running of static analysis - static_force: # optional - # Number of processes to use during static analysis - static_number_processes: # optional - # File pattern to search for during static analysis - static_search_pattern: # optional - # Specify whether the Codecov output should be verbose - verbose: # optional - # Specify which version of the Codecov CLI should be used. Defaults to `latest` - version: # optional - - - name: SecureStack Application Composition Analysis - # You may pin to the exact commit or the version. - # uses: SecureStackCo/actions-code@c2c35840882d041474c505c1045da157025cd57e - uses: SecureStackCo/actions-code@v0.1.1 - with: - # SecureStack API key - generate an API key at https://app.securestack.com - securestack_api_key: - # SecureStack Application ID - can be retrieved by accessing required application at https://app.securestack.com - securestack_app_id: - # Severities lower than this value will be reported in the workflow console but will not cause an error for the action; value should be one of: critical | high | medium | low - severity: - # Severities lower than this value will be reported in the workflow console but will not cause an error for the action; value should be one of: critical | high | medium | low - language: - # Optional flags for the bloodhound-cli code command - run bloodhound cli code --help for more details - flags: # optional, default is - - - name: SonarQube Scan for C and C++ - # You may pin to the exact commit or the version. - # uses: SonarSource/sonarqube-github-c-cpp@e51317d858d1117fe6c451aa441841cb3e3ff358 - uses: SonarSource/sonarqube-github-c-cpp@v2.1.0 - with: - # Directory where the sonar-scanner and build wrapper will be installed. Created if does not exists. - installation-path: # optional, default is .sonar - # Controls if installed binaries are cached using GitHub cache. - cache-binaries: # optional, default is true - - - name: Xanitizer Security Analysis - # You may pin to the exact commit or the version. - # uses: RIGS-IT/xanitizer-action@87d13138fb113b727cbe040c744a15a2b4fe5316 - uses: RIGS-IT/xanitizer-action@v1.0.1 - with: - # String which is used as input for a Xanitizer license file. Note: It is recommended to use a GitHub secret to store the license file content like XANITIZER_LICENSE and access the content in the configuration via the GitHub secret parameter. Please see https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. Note: If the license is a floating license and a proxy server is used to access the license server, please specify the proxy server settings. If no settings are specified, the settings from the Xanitizer properties file will be used. - license: # optional - # Number of attempts to get a license token from the license server. Note: If the used Xanitizer license is a machine bound license, this parameter will be ignored. If the used Xanitizer license is a floating license it may happen that all tokens are in use or the connection to the license server is not available at startup. In such cases, no license token can be requested successfully from the license server to start Xanitizer and the headless process would terminate with a license error. When this parameter is set to a value greater than zero, Xanitizer attempts every minute to request a license token until the specified count has been reached. Setting this parameter to zero disables the repetition. - licenseServerRetryCount: # optional - # Relative path under $GITHUB_WORKSPACE where the project was checked out. Note: Please use the same value as for parameter `path` of the configured actions/checkout action (see https://github.com/actions/checkout#usage parameter `path`). - checkoutPath: # optional - # The output location of the overview report. This has to be either a list of files or the parameter has to be undefined or empty if no overview reports should be written. Allowed file extensions are: pdf, html, docx. - overviewReportOutputFile: # optional - # Comma separated list of output locations of the overview reports. This has to be either a list of files or the parameter has to be undefined or empty if no overview reports should be written. Allowed file extensions are: pdf, html, docx. - overviewReportOutputFiles: # optional - # The output location of the findings list report. This has to be either a list of files or the parameter has to be undefined or empty if no findings list reports should be written. Allowed file extensions are: pdf, html, docx, xml, csv, sarif. - findingsListReportOutputFile: # optional - # Comma separated list of output locations of the findings list reports. This has to be either a list of files or the parameter has to be undefined or empty if no findings list reports should be written. Allowed file extensions are: pdf, html, docx, xml, csv, sarif. Note: If no report file has been secified, i.e., neither an overview report nor a findings list report, both a Xanitizer-Findings-List.pdf and a Xanitizer-Findings-List.sarif report will be generated in the checkout directory specified by $GITHUB_WORKSPACE with the optional relative parameter `checkoutPath` as default. - findingsListReportOutputFiles: # optional - # Boolean flag specifying if only findings with problem classifications are written to the findings list report. - onlyProblemsInFindingsListReport: # optional, default is true - # Boolean flag specifying if all the details of a finding are written to the findings list report, e.g. if the output contains all steps of a path. Note: Only relevant if the file extension of the parameter `findingsListReportOutputFile` is xml, html, or sarif. - generateDetailsInFindingsListReport: # optional, default is true - # The path to the Xanitizer configuration file of the project that should be analyzed. Either this parameter or the parameter `rootDirectory` may be specified, but not both. Note: If neither the parameter `configFile` nor the parameter `rootDirectory` has been specified, the parameter `rootDirectory` is set to the checkout directory specified by $GITHUB_WORKSPACE with the optional relative parameter `checkoutPath`. - configFile: # optional - # The root directory, to be used for default set-ups. Either this parameter or the parameter `configFile` may be specified, but not both. Note: If neither the parameter `configFile` nor the parameter `rootDirectory` has been specified, the parameter `rootDirectory` is set to the checkout directory specified by $GITHUB_WORKSPACE with the optional relative parameter `checkoutPath`. - rootDirectory: # optional - # The project name that should be used. Only relevant if the parameter `rootDirectory` is specified. If not given, the simple name of the root directory is used. - projectName: # optional - # The directory where to put the generated configuration file. Only relevant if the parameter `rootDirectory` is specified. If not given, the configuration file is generated in the `rootDirectory`. - configFileDirectory: # optional - # Boolean flag specifying if an existing config file is to be overwritten. Only relevant if the parameter `rootDirectory` is specified. - overwriteConfigFile: # optional - # Boolean flag specifying whether Xanitizer uses NodeJS to compile Angular and TypeScript projects to JavaScript code itself or not. This could be a potential risk if someone has manipulated the external ng or the tsc script. If the code is already compiled to JavaScript, best with a source map, this option can be set to `false` true - enables the compilation of Angular and TypeScript code to JavaScript by Xanitizer itself false - disables the compilation of Angular and TypeScript code to JavaScript by Xanitizer itself and some Xanitizer workspace information will be generated if Angular or Typescript files are found in the project not set - if this option is not set and Angular or Typescript files are found in the project, a Xanitizer workspace error will be generated - compileToJavaScript: # optional, default is true - # Boolean flag specifying if npm audit should be executed. The npm audit APIs can be used to report on known vulnerable node.js libraries. This requires an Internet connection and so has to be allowed explicitly. This is only relevant for NodeJS projects. - performNodeAudit: # optional, default is true - # Boolean flag specifying whether the task should fail if there are search paths configured that do not exist. - haltOnMissingSearchPaths: # optional - # A comma - separated list of issue groups that will let the task fail if for any of them, a Xanitizer error issue occurs. Possible values are ALL_ERRORS, WORKSPACE_ERRORS, CALL_GRAPH_ERRORS, ANALYSIS_ERRORS, MIGRATION_ERRORS. If the value is not set, this means that issues are not relevant for the success of the task. - haltOnIssues: # optional - # Boolean flag specifying whether the task should fail if there are findings with a rating equal or higher than the value defined for `findingsRatingThreshold`. - haltOnFindings: # optional - # A rating value. Only used if the parameter `haltOnFindings` is set. - findingsRatingThreshold: # optional - # Boolean flag specifying whether the OWASP Dependency Check repository should be updated or not. Note: The OWASP Dependency Check is based on vulnerability data stored in a local repository. It is recommended to update the local OWASP Dependency Check repository on a regular basis via remote access to the National Vulnerability Database (NIST). If a proxy server is used to access the internet, please specify the proxy server settings otherwise the settings from the Xanitizer properties file will be used. - updateOwaspDependencyCheckRepository: # optional - # The logging level to be used when running Xanitizer. Values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL. - logLevel: # optional - # Xanitizer`s project data directory, if it is not the default one in /.Xanitizer. - projectDataDirectory: # optional - # Boolean flag specifying whether the task should fail if there are * NEW * findings with a rating equal or higher than the value defined for `newFindingsRating`. - haltOnNewFindings: # optional - # A rating value. Only used if the parameter `haltOnNewFindings` is set. - newFindingsRatingThreshold: # optional - # Optional path to the local Maven repository. Note: If no settings are specified, the settings from the Xanitizer properties file will be used. - mavenRepository: # optional - # Boolean flag specifying whether a snapshot should be created after parsing and analyzing the current version or not. - createSnapshot: # optional - # Optional comment added to the newly created snapshot. Only relevant if the parameter `createSnapshot` is true. - snapshotComment: # optional - # The output directory of the project export. Note: If the parameter is undefined or an empty string, the project is not exported. - exportDirectory: # optional - # Boolean flag specifying if snapshots should be exported or not. The parameter is only used if an export directory is set. If the parameter is not set or empty, no snapshots are exported. - exportSnapshots: # optional - # The passphrase for the project export. The parameter is only used if an export directory is set. If the parameter is not set or empty, the exported project is not encrypted. Note: It is recommended to use a GitHub secret to store the export like XANITIZER_EXPORT_PASSPHRASE and access the content in the configuration via the GitHub secret parameter. Please see https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. - exportPassphrase: # optional - # The path to an exported Xanitizer project archive file. If specified, this project is merged into the current project. This means that all more recent user adaptations, findings and issues are migrated into the current project. - mergedProject: # optional - # The passphrase for the merged project. The parameter is only necessary if the parameter `mergedProject` is set and the merged project is encrypted. Note: It is recommended to use a GitHub secret to store the export passphrase like XANITIZER_EXPORT_PASSPHRASE. and access the content in the configuration via the GitHub secret parameter. Please see https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets for details. - importPassphrase: # optional - # Optional proxy server to access the internet to update the OWASP Dependency Check repository or to request a license token from the public license server in case of a floating license via a proxy. Note: If no settings are specified, the settings from the Xanitizer properties file will be used. - proxyServer: # optional - # Optional proxy server port. - proxyPort: # optional - # Optional proxy server user name. - proxyUser: # optional - # Optional proxy server user password. - proxyPassword: # optional - - - name: DPy Action - # You may pin to the exact commit or the version. - # uses: DesigniteTools/DPyAction@bd057fd8668aa20541e302397df77d9c50cca2b4 - uses: DesigniteTools/DPyAction@v1.1.2 - with: - # Personal access token - PAT: # optional, default is No PAT provided - # Designite license key - optional - D_KEY: # optional, default is No key - # Operating System of the runner to choose the appropriate DPy binary - OS: # optional, default is linux - # Branch to analyze - optional - BRANCH: # optional, default is main - # Output format - optional - FORMAT: # optional, default is csv - - - name: gha-ci-issues - # You may pin to the exact commit or the version. - # uses: Mergifyio/gha-mergify-ci@668bd8fd12563b7816b51f69ad8a13652925ac55 - uses: Mergifyio/gha-mergify-ci@v6 - with: - # Mergify CI token - token: - # Path of the files to upload - report_path: - # URL of the Mergify API - mergify_api_url: # optional, default is https://api.mergify.com - - - name: SecureStack All-In-One GitHub Action - # You may pin to the exact commit or the version. - # uses: SecureStackCo/actions-all-in-one@96dc79a3c4081a8333040c6bf84b0c528ccb1eb9 - uses: SecureStackCo/actions-all-in-one@v0.1.2 - with: - # SecureStack API key - generate an API key at https://app.securestack.com - securestack_api_key: - # SecureStack Application ID - can be retrieved by accessing required application at https://app.securestack.com - securestack_app_id: - # Severities lower than this value will be reported in the workflow console but will not cause an error for the action; value should be one of: critical | high | medium | low - severity: - - - name: github-action-auto-format - # You may pin to the exact commit or the version. - # uses: cloudposse/github-action-auto-format@970af4c15a720047204400fe5b5ae52fb2991e9b - uses: cloudposse/github-action-auto-format@v0.12.0 - with: - # The path on the github-runner where the auto-format action scripts are checked out at runtime - actions-files-checkout-path: # optional, default is github-action-auto-format - # GitHub username for writing new commits - bot-name: # optional, default is cloudpossebot - # Email address associated with the GitHub user for writing new commits - bot-email: # optional - # Name of formatting task to execute. (Options include: readme, github, terraform, and context.) - format-task: - # GitHub Token for use in `github_format.sh` and PR creation steps. This token must be granted `workflows` permissions. - workflow-token: - - - name: run-noteable-notebook - # You may pin to the exact commit or the version. - # uses: noteable-io/run-notebook@48a4734efb67d7df9aa6f51d9dbeb4a0871065c9 - uses: noteable-io/run-notebook@v3 - with: - # Path to notebook with extension that should be executed - notebook: # optional, default is - # Path to parameters file with extension, contents should be json - params: # optional, default is {} - # If True, will hide inputs in notebook - isReport: # optional - # If True, this will pool output every 15 seconds and displays, this is useful in cases where there is long running cells and user wants to see output after going to the page, since github actions does not show streaming from the beginning, this is a hack to get around it - poll: # optional - # Used to set the logging level for the papermill process. - loggingLeveL: # optional, default is INFO - - - name: Convert 3D files directory with KittyCAD - # You may pin to the exact commit or the version. - # uses: KittyCAD/action-convert-directory@94f695ed3d7206d1a5f065eb9166ef318b68a3a6 - uses: KittyCAD/action-convert-directory@v0.0.2 - with: - # KittyCAD API TOKEN, generated at https://kittycad.io/account - kittycad-token: - # folder containing files to be converted, allowed files are dae, fbx, obj, step and stl - input-directory: - # folder where converted files will be put - output-directory: - # options are dae, fbx, fbxb, obj, step and stl - conversion-type: - - - name: Jscrambler - # You may pin to the exact commit or the version. - # uses: jscrambler/code-integrity-actions@b8a30020d7b82d02a2fa110c815d62c74184fb9c - uses: jscrambler/code-integrity-actions@v6.4.19 - - - name: Nullify DAST Action - # You may pin to the exact commit or the version. - # uses: Nullify-Platform/dast-action@f9d0b5cfdb743f189bd8f6134ab0322f3304ebce - uses: Nullify-Platform/dast-action@v0.0.1 - with: - # Name of the application to be tested - app-name: - # Absolute directory of the API specification to be tested - spec-path: - # Target host endpoint of the application to be tested - target-host: - # Space-separated arguments to include (e.g. -d, -v for debug and verbose modes) - base-args: # optional, default is -v - # Name of the GitHub repository - github-repository: # optional, default is ${{ github.repository }} - # GitHub API token which will be exchanged for a Nullify token - github-token: # optional, default is ${{ github.token }} - # Header to include in authorization request - header: # optional - # Nullify API host e.g. api.nullify.ai - nullify-host: # optional, default is api.nullify.ai - # Nullify CLI version to be used - nullify-version: # optional, default is 0.0.0 - - - name: Pachyderm Pipeline Updater - # You may pin to the exact commit or the version. - # uses: pachyderm/pachyderm-actions@69c4694668a732392b203fab5b8dbdc14b8a097c - uses: pachyderm/pachyderm-actions@0.0.1 - - - name: Preview Environments - # You may pin to the exact commit or the version. - # uses: UffizziCloud/preview-action@6f946b7c6d38a24e28a134e6f833783dfaaaf782 - uses: UffizziCloud/preview-action@v2.6.1 - with: - # An alternate compose file - compose-file: # optional, default is docker-compose.yaml - # URL to Uffizzi - server: # default is https://app.uffizzi.com - # Uffizzi username - username: # optional - # Uffizzi password - password: # optional - # Uffizzi project slug - project: # optional - # Username to authenticate to GHCR - ghcr-username: # optional - # Password to authenticate to GHCR - ghcr-access-token: # optional - # Value of `github.event.number` context - github-event-number: # optional - # Value of `github.ref` context - github-ref: # optional - # Value of `github.repository` context - github-repository: # optional - # - request-token: # optional - # - request-token-url: # optional - # - dockerhub-username: # optional - # - dockerhub-password: # optional - # Azure username - acr-username: # optional - # Azure password - acr-password: # optional - # Azure registry url - acr-registry-url: # optional - # Amazon Web Services access key id - aws-access-key-id: # optional - # Amazon Web Services secret access key - aws-secret-access-key: # optional - # Amazon Web Services registry url - aws-registry-url: # optional - # Google Cloud service key - gcloud-service-key: # optional - # Custom docker registry username - docker-registry-username: # optional - # Custom docker registry password - docker-registry-password: # optional - # Custom docker registry url - docker-registry-url: # optional - - - name: Prevasio Container Security - # You may pin to the exact commit or the version. - # uses: algosec/prevasio-cicd-container-security-action@7e1676e311785a9e0062f8ad066960a231820106 - uses: algosec/prevasio-cicd-container-security-action@v1.0.4 - - - name: GPG signing with Software Trust Manager - # You may pin to the exact commit or the version. - # uses: digicert/ssm-gpg-signing@37c73cbe57ae318dfb9d4a71a1db16a040a9a6ff - uses: digicert/ssm-gpg-signing@v0.0.2 - - - name: Nx affected dependencies action - # You may pin to the exact commit or the version. - # uses: leanix/nx-affected-dependencies-action@e49b2332a95c083c3f6ae3838d39289d89f7c582 - uses: leanix/nx-affected-dependencies-action@v0.2.1 - with: - # The name of the project whose affected dependencies you want to lint/test etc.. - project: - # The angular CLI target you want to execute, e.g. 'lint' or 'test'. - target: - # The base reference to be used for the affected evaluation. - base: # optional - # The head reference to be used for the affected evaluation. - head: # optional - # Set to 'true' for this action to automatically compare the merge commit to the previous one on develop/master and to use origin/develop as base when running on a feature branch. - gitflow: # optional - # The runner of the command. Used to leverage nx cache. - runner: # optional - - - name: Terraform Apply for GorillaStack - # You may pin to the exact commit or the version. - # uses: SWO-GS/github-action-apply-on-merge@71fab58db0a839b1e9b34e87601a5e4347c52c88 - uses: SWO-GS/github-action-apply-on-merge@v0.1.0 - with: - # The action type (currently "validate" and "apply" are available) - action: # default is validate - # The name of the tfstate bucket stack - stack_name: # default is github-actions-gorillastack-tfstate - # The region in which you deployed the tfstate bucket stack - aws_default_region: # default is us-east-1 - # The AWS Access Key Id for the user with privileges to access the tfstate bucket - aws_access_key_id: # default is defaulted-for-everything-but-apply - # The AWS Secret Access Key for the user with privileges to access the tfstate bucket - aws_secret_access_key: # default is defaulted-for-everything-but-apply - # GorillaStack API Key, which is read-write or read-only, tied to your user identity - gorillastack_api_key: # default is defaulted-for-everything-but-apply - # GorillaStack Team Id, sets context of which team/tenant you are targeting - gorillastack_team_id: # default is defaulted-for-everything-but-apply - - - name: Armory Continuous Deployment-as-a-Service - # You may pin to the exact commit or the version. - # uses: armory/cli-deploy-action@36fc96b3e295e960d22f96513ef781bb9865a87c - uses: armory/cli-deploy-action@v1.0.0 - with: - # Path to the configuration YAML file used to configure your deployment - path-to-file: - # extra args to the deployment start command - applicationName: # optional - # extra context params to the deployment start command - addContext: # optional - # ClientId for Armory Cloud - clientId: - # ClientSecret for Armory Cloud - clientSecret: - # Intended audience of requests that will use your Armory Cloud authentication token. Is deployHostUrl by default - audience: # optional, default is https://api.cloud.armory.io - # Armory Cloud authentication provider url - tokenIssuerUrl: # optional, default is https://auth.cloud.armory.io/oauth - # Location of the Armory Cloud API which will handle your deployment - deployHostUrl: # optional, default is api.cloud.armory.io - - - name: Nitric CLI - Automated Cloud Deployment - # You may pin to the exact commit or the version. - # uses: nitrictech/actions@eb63ad6dd85ccc71e5f24bf225bd8e030ca0fff9 - uses: nitrictech/actions@v1.0.3 - with: - # Version of the Nitric CLI to install, or "latest" (default). This accepts semver ranges like 1.33.0. - version: # default is latest - # Token used to query nitric versions - github-token: # default is ${{ github.token }} - # Nitric command to run, eg. up or down - command: # optional - # Working directory containing Nitric stack - working-directory: # optional - # Which stack you want to deploy, eg. dev - stack-name: # optional - - - name: Instrument pipeline - # You may pin to the exact commit or the version. - # uses: autometrics-dev/instrument-pipeline@142e4e6cbc109bb37c705daa856b6462689b3ef8 - uses: autometrics-dev/instrument-pipeline@v0.1.0 - with: - # URL to the aggregation gateway, for example `http://localhost:9091` - pushgateway: - # Type of the aggregation gateway, one of `prometheus`, `gravel`, or `zapier`. Currently only changes the url format in case of prometheus - gatewaytype: # optional - # Comma separated list of buckets for duration histogram, with or without the brackets [] - buckets: # optional + node-version: [20.x] # Extendable to multiple versions for testing + steps: + - name: Checkout code + uses: actions/checkout@v4 - - name: Honeycomb Buildevents - # You may pin to the exact commit or the version. - # uses: honeycombio/gha-buildevents@e5d529f2a2a3eea1605786749c78cbb3122c46b5 - uses: honeycombio/gha-buildevents@v3.1.0 - with: - # A Honeycomb API key - needed to send traces. - apikey: - # Defaults to https://api.honeycomb.io - apihost: # optional, default is https://api.honeycomb.io - # The Honeycomb dataset to send traces to. - dataset: - # Status of the job or worfklow. Setting this signals when to end the trace. - status: # optional - # Unix timestamp to represent when the trace started. Not necessary for single job workflows. Send in final use of the action for multi-job workflows. - trace-start: # optional - # Set this to a key unique for this matrix cell, only useful when using a build matrix. - matrix-key: # optional - # Deprecated value - please use status instead - job-status: # optional - # (true/false) Whether to send an event representing the setup of this action. - send-init-event: # optional, default is true - # If true, generate the trace ID as a 128-bit hex string compatible with OpenTelemetry by MD5 hashing the existing predictable trace ID. - otel-traceid: # optional, default is false + - name: Set up Node.js + uses: actions/setup-node@v3.9.1 + with: + node-version: ${{ matrix.node-version }} + cache: npm - - name: Autometrics Report - # You may pin to the exact commit or the version. - # uses: autometrics-dev/diff-metrics@778b3281f8446790af0afd766d5bb236defb5dde - uses: autometrics-dev/diff-metrics@v2.1.0 - with: - # Github token to use - gh-token: - # The list of rust project roots to check. One path per line - rs-roots: # optional - # The list of typescript project roots to check. One path per line - ts-roots: # optional - # The list of golang project roots to check. One path per line - go-roots: # optional - # The list of python project roots to check. One path per line - py-roots: # optional - # The number of days to keep the artifacts for. Defaults to 0 (inherits the policy from the repository) - retention-days: # optional, default is 0 - # The version of am to download, skip patch or minor to act as a wildcard. "0.2" means ">=0.2.0 && <0.3.0", "1" means ">=1.0.0 && <2.0.0", etc. - am-version: # optional - - - name: gitStream repo agent - # You may pin to the exact commit or the version. - # uses: linear-b/gitstream-github-action@c58c35dbe6d26a8f78365f5b30b2948e7eba39e4 - uses: linear-b/gitstream-github-action@v2 - with: - # Path of full Repository - full_repository: - # Head Branch Ref to checkout to - head_ref: - # Base Branch Ref to checkout to - base_ref: - # The client payload - client_payload: - # The github app installation id - installation_id: # optional - # Resolver url to send results to - resolver_url: - # Optional token for resolver - resolver_token: # optional - # Run parser in debug mode - debug_mode: # optional, default is false - - - name: Scheduled Milestones - # You may pin to the exact commit or the version. - # uses: readmeio/scheduled-milestones@0e87deaf0083675156111def24b8a29a97aa6fb1 - uses: readmeio/scheduled-milestones@v1.0.0 - with: - # GitHub authentication token - token: - # A prefix for your scheduled milestone title. - title: # default is Up for Review - # A comma-separated list of the days of the upcoming week that you want milestones for. - days: - # Options for `Date.toLocaleDateString()`. See https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toLocaleDateString for details. - date_options: # optional - - - name: Teamwork GitHub Sync - # You may pin to the exact commit or the version. - # uses: Teamwork/github-sync@42dcac69eb5a41fad0d518efeb6aecf1e45f8d01 - uses: Teamwork/github-sync@v1.3.3 - with: - # GitHub token - GITHUB_TOKEN: - # Teamwork URI - TEAMWORK_URI: - # Teamwork API token - TEAMWORK_API_TOKEN: - # Do you want to enable automatic tagging: true/false - AUTOMATIC_TAGGING: # optional - # The case-sensitive column name of the column you would like the task to be moved to once the PR has been opened - BOARD_COLUMN_OPENED: # optional, default is - # The case-sensitive column name of the column you would like the task to be moved to once the PR has been merged - BOARD_COLUMN_MERGED: # optional, default is - # The case-sensitive column name of the column you would like the task to be moved to if the PR was closed without being merged - BOARD_COLUMN_CLOSED: # optional, default is + - name: Install Dependencies + run: npm install - - name: 42Crunch API Conformance Scan - # You may pin to the exact commit or the version. - # uses: 42Crunch/cicd-github-actions@e2c9a02bb391932aee6ef994de06ff2c7aae9ff6 - uses: 42Crunch/cicd-github-actions@v1 - with: - # API token to access 42Crunch Platform. Check https://docs.42crunch.com/latest/content/tasks/integrate_github_actions.htm for details - api-token: - # 42Crunch platform URL - platform-url: # optional, default is https://platform.42crunch.com - # Path to JSON report from audit step - audit-report-path: - # List of API UUIDs to use - api-ids: # optional - # Path to save sarif report, add 'Convert to sarif' stage - convert-to-sarif: # optional - # Add 'Upload sarif' and 'Convert to sarif' stage - upload-sarif: # optional - # Add 'Check sqg' stage - check-sqg: # optional - # GitHub token for uploading results to Github Code Scanning - github-token: # optional, default is ${{ github.token }} + - name: Run Lint & Tests + run: | + npm run lint + npm test + + - name: Upload Build Artifact + uses: actions/upload-artifact@v4.6.2 + with: + name: build-artifact + path: dist/ + retention-days: 7 + if-no-files-found: error + + - name: Download Build Artifact (Example) + uses: actions/download-artifact@v4.3.0 + with: + name: build-artifact + path: ./downloaded-artifact - - name: Cloudlist Action - # You may pin to the exact commit or the version. - # uses: projectdiscovery/cloudlist-action@8875fc8f49349c412d5d5f2e5fcb685041e9f8bf - uses: projectdiscovery/cloudlist-action@v1.0.1 - with: - # Providers config file to use - config: - # File to save output result - output: # optional, default is cloudlist.log - # Format to save of output file - json: # optional - # Additional cloudlist CLI flags to use - flags: # optional - - - name: Rational Integration Tester GitHub Action - # You may pin to the exact commit or the version. - # uses: IBM/devopsauto-integrtest-actions@5096cad49a7c728d0de5931481f5567254c70a70 - uses: IBM/devopsauto-integrtest-actions@v1 - with: - # The fully qualified path to Rational Integration Tester project directory. This value will be ignored if parameterFile field is used. - projectDir: - # The name of the API test project. This value will be ignored if parameterFile field is used. - projectName: - # The API Test environment to use for this execution. This value will be ignored if parameterFile field is used. - environment: - # Semicolon separated list of tests/suites to run. This value will be ignored if parameterFile field is used. - tests: - # The fully qualified path to a parameter file that contains project, environment, and run arguments for one or more tests. - parameterFile: # optional - # Specify the folder to export the JUnit reports to. - junitDir: # optional - - - - - + docker-image: + name: Build and Push Docker Image + runs-on: ubuntu-latest + needs: build-and-test + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Docker Build Tag Publish to ECR + uses: bitovi/github-actions-docker-ecr-publish@v0.1.0 + with: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws_ecr_repo_name: my-ecr-repo + image_tag: ${{ github.sha }} + + # Example: Security Analysis (with secrets and clear explanation) + security-analysis: + name: SecureStack Application Composition Analysis + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: SecureStack Analysis + uses: SecureStackCo/actions-code@v0.1.1 + with: + securestack_api_key: ${{ secrets.SECURESTACK_API_KEY }} + securestack_app_id: ${{ secrets.SECURESTACK_APP_ID }} + severity: high + + # Add more jobs as needed, using matrix strategy for repetitive tasks + +# Inline documentation for future maintainers: +# - Only include parameters you wish to override from action defaults. +# - Use GitHub secrets for sensitive fields. +# - Expand matrix strategy on jobs (e.g., for multi-version or multi-platform testing). +# - Use explicit names/paths for artifacts. +# - Add or remove permissions as needed; start with least privilege. +# - Use `workflow_dispatch` for manual runs. +# - Add or adjust triggers as your team/process evolves. From 46912430a8445c88b18d0aa926ac7af6f82b71e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Djub=C3=A1h?= Date: Fri, 13 Jun 2025 06:57:39 +0200 Subject: [PATCH 5/5] Update moda-ci.yaml Upgrades