Merge branch 'main' into dependabot/github_actions/security-actions/s…

…can-docker-image/anchore/sbom-action-0.14.3
Kong · Sep 18, 2023 · be57a13 · be57a13
2 parents 0028a5f + 1c13057
commit be57a13
Show file tree

Hide file tree

Showing 29 changed files with 751 additions and 457 deletions.
diff --git a/.github/workflows/build-sdk-js.yml b/.github/workflows/build-sdk-js.yml
@@ -25,7 +25,7 @@ jobs:
           path: ${{github.workspace}}/sdk
       - uses: ./code-build-actions/build-js-sdk
         with:
-          dry-run: true
+          dry-run: 'true'
           app_directory: ${{ github.workspace }}
           sdk_output_directory: ${{github.workspace}}/sdk
           token: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/lua-lint.yml b/.github/workflows/lua-lint.yml
@@ -0,0 +1,28 @@
+name: Luacheck Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-lua-lint:
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
+    runs-on: ubuntu-latest
+    name: Luacheck code analysis
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          path: ${{env.TEST_REPOSITORY}}
+      - uses: ./code-check-actions/lua-lint
+        with:
+          additional_args: '--no-default-config --config ${{env.TEST_REPOSITORY}}/.luacheckrc ${{env.TEST_REPOSITORY}}'
diff --git a/.github/workflows/luacheck.yml b/.github/workflows/luacheck.yml
diff --git a/.github/workflows/rust-lint.yml b/.github/workflows/rust-lint.yml
@@ -0,0 +1,37 @@
+name: Rust Lint Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-rust-lint:
+    permissions:
+      # required for all workflows
+      security-events: write
+      checks: write
+      pull-requests: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
+    runs-on: ubuntu-latest
+    name: Rust Code Linting checks
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          path: ${{env.TEST_REPOSITORY}}
+      - uses: ./code-check-actions/rust-lint
+        with:
+          token: ${{secrets.GITHUB_TOKEN}}
+          manifest_dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
diff --git a/.github/workflows/rust-sca.yml b/.github/workflows/rust-sca.yml
@@ -0,0 +1,38 @@
+name: Rust SCA Test
+
+on:
+  pull_request:
+    branches:
+    - main
+  push:
+    branches:
+    - main
+    tags:
+    - '*'
+  workflow_dispatch: {}
+
+jobs:
+  test-rust-sca:
+    permissions:
+      # required for all workflows
+      security-events: write
+      checks: write
+      pull-requests: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
+    runs-on: ubuntu-latest
+    name: Rust code analysis and SCA checks
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          path: ${{env.TEST_REPOSITORY}}
+      - uses: ./security-actions/scan-rust
+        with:
+          asset_prefix: ${{env.TEST_REPOSITORY}}
+          dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}}
+          codeql_upload: false
diff --git a/.github/workflows/rustcheck.yml b/.github/workflows/rustcheck.yml
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -0,0 +1,38 @@
+name: Semgrep
+
+on:
+  pull_request: {}
+  push:
+    branches: 
+    - master
+    - main
+  workflow_dispatch: {}
+
+
+jobs:
+  semgrep:
+    name: SAST
+    runs-on: ubuntu-20.04
+    permissions:
+      # required for all workflows
+      security-events: write
+      # only required for workflows in private repositories
+      actions: read
+      contents: read
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/atc-router"
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/checkout@v3
+        with:
+          repository: ${{env.TEST_REPOSITORY}}
+          token: ${{secrets.GITHUB_TOKEN}}
+          path: ${{env.TEST_REPOSITORY}}
+      - uses: ./security-actions/semgrep
+        with:
+          additional_config: '--config p/rust'
+          codeql_upload: false
+          fail_on_findings: false
+
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -1,3 +1,5 @@
 * @Kong/team-shared-actions-reviewers
 
-security-actions/ @Kong/team-security-engineering
+security-actions/ @Kong/team-security-engineering
+pr-previews/ @adamdehaven @ValeryG @Drew-Kimberly
+code-check-actions/ @Kong/team-security-engineering
diff --git a/README.md b/README.md
@@ -1,2 +1,16 @@
 # public-shared-actions
 Shared actions available to both public and private repositories
+
+## Usage
+
+  ```yaml
+  - uses: Kong/public-shared-actions/<action-name>@<tag>
+  ```
+  
+  For example:
+  
+  ```yaml
+  - uses:  Kong/public-shared-actions/code-build-actions/[email protected]
+  ```
+  
+  
diff --git a/code-build-actions/build-js-sdk/README.md b/code-build-actions/build-js-sdk/README.md
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Build JS SDK
-        uses: Kong/public-shared-actions/build-js-sdk@main
+        uses: Kong/public-shared-actions/code-build-actions/build-js-sdk
 
 ```
 

diff --git a/code-build-actions/build-js-sdk/action.yaml b/code-build-actions/build-js-sdk/action.yaml
@@ -5,7 +5,7 @@ inputs:
   dry-run:
     description: 'If true, the action will not push the changes to the PR'
     required: false
-    default: false
+    default: 'false'
   token:
     description: 'A Github Token'
     required: true
@@ -50,17 +50,9 @@ runs:
       shell: bash
       working-directory: ${{inputs.sdk_output_directory}}
       run: |
-        openapi-generator-cli generate --generator-key client
+        openapi-generator-cli generate --generator-key client -o src
     - name: "Clean up generator files"
       shell: bash
       working-directory: ${{inputs.sdk_output_directory}}/src
       run: |
         rm -rf openapitools.json templates-js .openapi-generator-ignore .openapi-generator git_push.sh
-    - name: Commit SDK changes to the PR
-      uses: EndBug/add-and-commit@v9
-      if: ${{ !inputs.dry-run }}
-      with:
-        cwd: ${{inputs.sdk_output_directory}}
-        add: src
-        default_author: github_actions
-        message: Update SDK based on openapi.yaml changes
diff --git a/code-check-actions/lua-lint/README.md b/code-check-actions/lua-lint/README.md
@@ -0,0 +1,71 @@
+# Lua Check - Github Action
+
+Luacheck is a static analyzer for Lua. The options for static analysis configuration can be used on the command line, put into a config file or directly into checked files as Lua comments.
+
+This action analyzes all changed lua files using [lunarmodules/luacheck](https://github.com/lunarmodules/luacheck).
+
+This action looks for any `cli` arguments and a deafult `.luacheckrc` config to derive the final configuaration as mentioned in [docs](https://luacheck.readthedocs.io/en/stable/cli.html#command-line-options)
+
+## Inputs
+
+```yaml
+additional_args: 
+    description: 'Arguments to luacheck'
+    required: 'false'
+    default: '.' # Default: Run luacheck on workspace dir 
+```
+
+## Outputs
+- Depending on the event, refer [publishing](https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results)
+
+## Action Output
+- Always exit with 0 even when there are warnings / errors and be non-blocking
+- The failure mode of build is not configurable based on shared action outcome
+
+## Example usage
+
+```yaml
+name: Lua Code Quality
+
+on:
+  pull_request: {}
+  workflow_dispatch: {}
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  lua:
+    name: Lua Lint
+    runs-on: ubuntu-20.04
+    permissions:
+      contents: read
+      issues: read
+      checks: write
+      pull-requests: write
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+    - name: Checkout source code
+      uses: actions/checkout@v3
+
+    # Optional step to run on only changed files
+    - name: Get changed files
+      id: changed-files
+      uses: tj-actions/changed-files@v36
+      with: 
+        files: |
+          **.lua
+    
+    - name: Lua Check
+      if: steps.changed-files.outputs.any_changed == 'true'
+      uses: Kong/public-shared-actions/code-check-actions/luacheck@main
+      with:
+        additional_args: '--no-default-config --config .luacheckrc'
+        files: ${{ steps.changed-files.outputs.all_changed_files }}
+```
+