diff --git a/.github/workflows/blackduck_scan.yaml b/.github/workflows/blackduck_scan.yaml new file mode 100644 index 00000000..ba55dcaf --- /dev/null +++ b/.github/workflows/blackduck_scan.yaml @@ -0,0 +1,80 @@ +name: Blackduck SCA Scan +on: + #push: + # branches: [ "main" ] + #pull_request: + # branches: [ "main" ] + schedule: + - cron: '8 0 * * 0' + workflow_dispatch: + +permissions: + contents: read + checks: write + +jobs: + build: + runs-on: [ ubuntu-latest ] + steps: + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + + - name: Setup Go + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 + with: + go-version-file: '${{ github.workspace }}/go.mod' + cache: false + + - name: Get go environment for use with cache + run: | + echo "go_cache=$(go env GOCACHE)" >> $GITHUB_ENV + echo "go_modcache=$(go env GOMODCACHE)" >> $GITHUB_ENV + # This step will only reuse the go mod and build cache from main made during the Build, + # see push_ocm.yaml => "ocm-cli-latest" Job + # This means it never caches by itself and PRs cannot cause cache pollution / thrashing + # This is because we have huge storage requirements for our cache because of the mass of dependencies + + - name: Restore / Reuse Cache from central build + id: cache-golang-restore + uses: actions/cache/restore@0c907a75c2c80ebcb7f088228285e798b750cf8f # Only Restore, not build another cache (too big) + with: + path: | + ${{ env.go_cache }} + ${{ env.go_modcache }} + key: ${{ env.cache_name }}-${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}-${{ hashFiles('**/go.mod') }} + restore-keys: | + ${{ env.cache_name }}-${{ runner.os }}-go- + env: + cache_name: ocm-cli-latest-go-cache # needs to be the same key in the end as in the build step + + - name: Run Black Duck Full SCA Scan (Manual Trigger and Scheduled) + if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule' + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + env: + DETECT_PROJECT_USER_GROUPS: opencomponentmodel + DETECT_PROJECT_VERSION_DISTRIBUTION: opensource + DETECT_SOURCE_PATH: ./ + DETECT_EXCLUDED_DIRECTORIES: .bridge + DETECT_BLACKDUCK_SIGNATURE_SCANNER_ARGUMENTS: '--min-scan-interval=0' + NODE_TLS_REJECT_UNAUTHORIZED: true + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + blackducksca_url: ${{ secrets.BLACKDUCK_URL }} + blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_scan_full: true + + - name: Run Black Duck SCA Scan (Pull Request or Push) + if: github.event_name != 'workflow_dispatch' + # The action sets blackducksca_scan_full internally: for pushes to true and PRs to false + uses: blackduck-inc/black-duck-security-scan@805cbd09e806b01907bbea0f990723c2bb85abe9 + env: + DETECT_PROJECT_USER_GROUPS: opencomponentmodel + DETECT_PROJECT_VERSION_DISTRIBUTION: opensource + DETECT_SOURCE_PATH: ./ + DETECT_EXCLUDED_DIRECTORIES: .bridge + NODE_TLS_REJECT_UNAUTHORIZED: true + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + blackducksca_url: ${{ secrets.BLACKDUCK_URL }} + blackducksca_token: ${{ secrets.BLACKDUCK_API_TOKEN }} + blackducksca_prComment_enabled: true diff --git a/.github/workflows/blackduck_scan_scheduled.yaml b/.github/workflows/blackduck_scan_scheduled.yaml deleted file mode 100644 index 7b7dabbe..00000000 --- a/.github/workflows/blackduck_scan_scheduled.yaml +++ /dev/null @@ -1,34 +0,0 @@ -name: Blackduck Scan Cronjob -on: - schedule: - - cron: '5 0 * * 0' - -permissions: - checks: write - -jobs: - build: - runs-on: [ ubuntu-latest ] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Java 17 - uses: actions/setup-java@v4 - with: - java-version: '17' - distribution: 'temurin' - - - name: Blackduck Full Scan - uses: mercedesbenzio/detect-action@v2 - env: - DETECT_PROJECT_USER_GROUPS: opencomponentmodel - DETECT_PROJECT_VERSION_DISTRIBUTION: SAAS - DETECT_SOURCE_PATH: ./ - NODE_TLS_REJECT_UNAUTHORIZED: true - with: - scan-mode: INTELLIGENT - github-token: ${{ secrets.GITHUB_TOKEN }} - blackduck-url: ${{ secrets.BLACKDUCK_URL }} - blackduck-api-token: ${{ secrets.BLACKDUCK_API_TOKEN }} - detect-version: 8.8.0 diff --git a/.github/workflows/check-manifest-generation-diff.yaml b/.github/workflows/check-manifest-generation-diff.yaml index 4bddac3b..74727b44 100644 --- a/.github/workflows/check-manifest-generation-diff.yaml +++ b/.github/workflows/check-manifest-generation-diff.yaml @@ -9,18 +9,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - name: Make manifests && generate run: | make manifests && make generate - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 with: go-version-file: '${{ github.workspace }}/go.mod' - name: Restore Go cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f with: path: /home/runner/work/_temp/_github_home/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5e97c989..508be54b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,7 +15,7 @@ on: push: branches: [ "main" ] pull_request: - branches: [ "main ] + branches: [ "main" ] schedule: - cron: '38 7 * * 4' @@ -57,7 +57,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -67,7 +67,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -80,6 +80,6 @@ jobs: # queries: security-extended,security-and-quality - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/components.yaml b/.github/workflows/components.yaml index 4bb1bfe7..31604aef 100644 --- a/.github/workflows/components.yaml +++ b/.github/workflows/components.yaml @@ -18,12 +18,12 @@ jobs: runs-on: large_runner steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 - name: Cache go-build and mod - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f with: path: | ~/.cache/go-build/ @@ -32,7 +32,7 @@ jobs: restore-keys: | go- - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 with: go-version-file: '${{ github.workspace }}/go.mod' - name: CTF diff --git a/.github/workflows/dispatch-e2e.yaml b/.github/workflows/dispatch-e2e.yaml index 33c5789a..13c2ad7d 100644 --- a/.github/workflows/dispatch-e2e.yaml +++ b/.github/workflows/dispatch-e2e.yaml @@ -4,6 +4,8 @@ on: push: branches: - main +permissions: + contents: read jobs: dispatch-event: @@ -11,12 +13,12 @@ jobs: steps: - name: Generate token id: generate_token - uses: tibdex/github-app-token@v2 + uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a with: app_id: ${{ secrets.OCMBOT_APP_ID }} private_key: ${{ secrets.OCMBOT_PRIV_KEY }} - name: Dispatch e2e test trigger - uses: peter-evans/repository-dispatch@v3 + uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 with: token: ${{ steps.generate_token.outputs.token }} repository: open-component-model/MPAS diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index c28d4732..c7ae4b1c 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -23,23 +23,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 with: go-version-file: '${{ github.workspace }}/go.mod' - name: Restore Go cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f with: path: /home/runner/work/_temp/_github_home/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go- - name: Setup Kubernetes - uses: helm/kind-action@v1.12.0 + uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 with: install_only: true - - uses: yokawasa/action-setup-kube-tools@v0.11.2 + - uses: yokawasa/action-setup-kube-tools@9e25a4277af127b60011c95b6ed2da7e3b3613b1 with: kustomize: '5.0.1' tilt: '0.32.2' @@ -48,7 +48,7 @@ jobs: run: make e2e-verbose - name: Notify on Failure id: slack-notification - uses: slackapi/slack-github-action@v2.0.0 + uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d if: ${{ github.ref_name == 'main' && github.event_name == 'schedule' && always() }} with: # Slack channel id, channel name, or user id to post message. diff --git a/.github/workflows/mend_scan.yaml b/.github/workflows/mend_scan.yaml index 6056a72a..cbad8049 100644 --- a/.github/workflows/mend_scan.yaml +++ b/.github/workflows/mend_scan.yaml @@ -28,21 +28,21 @@ jobs: steps: - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Set up Java 17 - uses: actions/setup-java@v4 + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 with: java-version: '17' distribution: 'temurin' - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 with: go-version-file: '${{ github.workspace }}/go.mod' - name: 'Setup jq' - uses: dcarbone/install-jq-action@v3.0.1 + uses: dcarbone/install-jq-action@e397bd87438d72198f81efd21f876461183d383a with: version: '1.7' @@ -171,14 +171,14 @@ jobs: echo "status=white_check_mark" >> $GITHUB_OUTPUT fi - name: Check if PR exists - uses: 8BitJonny/gh-get-current-pr@3.0.0 + uses: 8BitJonny/gh-get-current-pr@08e737c57a3a4eb24cec6487664b243b77eb5e36 id: pr_exists with: filterOutClosed: true sha: ${{ github.event.pull_request.head.sha }} - name: Comment Mend Status on PR if: ${{ github.event_name != 'schedule' && steps.pr_exists.outputs.pr_found == 'true' }} - uses: thollander/actions-comment-pull-request@v3.0.1 + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b with: message: | ## Mend Scan Summary: :${{ steps.report.outputs.status }}: diff --git a/.github/workflows/release-drafter.yaml b/.github/workflows/release-drafter.yaml index 0a03538c..5021bad6 100644 --- a/.github/workflows/release-drafter.yaml +++ b/.github/workflows/release-drafter.yaml @@ -15,6 +15,6 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - uses: release-drafter/release-drafter@v6 + - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ffaa2ed6..c5511a07 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -31,15 +31,15 @@ jobs: packages: 'write' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 with: fetch-depth: 0 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 with: go-version-file: '${{ github.workspace }}/go.mod' - name: Cache go-build and mod - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f with: path: | ~/.cache/go-build/ @@ -85,13 +85,13 @@ jobs: git tag --annotate --message "${msg}" ${{ env.RELEASE_VERSION }} git push origin ${{ env.RELEASE_VERSION }} - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install Helm - uses: azure/setup-helm@v4 + uses: azure/setup-helm@b9e51907a09c216f16ebe8536097933489208112 - name: Generate manifests run: | mkdir -p output @@ -99,9 +99,9 @@ jobs: - name: Setup Syft uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0 - name: Setup Cosign - uses: sigstore/cosign-installer@v3.7.0 + uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e - name: Run goreleaser - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 with: distribution: goreleaser version: latest diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 56e352b8..de61092e 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -20,16 +20,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 with: go-version-file: '${{ github.workspace }}/go.mod' - - uses: acifani/setup-tinygo@v2 + - uses: acifani/setup-tinygo@b2ba42b249c7d3efdfe94166ec0f48b3191404f7 with: tinygo-version: '0.31.2' - name: Restore Go cache - uses: actions/cache@v4 + uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f with: path: /home/runner/work/_temp/_github_home/go/pkg/mod key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}