From 213e1b1f56f4c6e0986a330db93946eaf18c3ab3 Mon Sep 17 00:00:00 2001 From: "cid-workflow[bot]" <142626371+cid-workflow[bot]@users.noreply.github.com> Date: Wed, 9 Oct 2024 20:45:54 +0000 Subject: [PATCH] ci: update cid github actions workflow from 0.0.24 to 0.0.25 --- .github/workflows/cid-ossf.yml | 8 +-- .github/workflows/cid-pullrequest.yml | 67 ++++++++++++++++------ .github/workflows/cid.yml | 81 +++++++++++++++++++-------- 3 files changed, 113 insertions(+), 43 deletions(-) diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml index 3313acb..4297ac9 100644 --- a/.github/workflows/cid-ossf.yml +++ b/.github/workflows/cid-ossf.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.24 +# cid-workflow-version: 0.0.25 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! @@ -36,7 +36,7 @@ jobs: contents: read # required in private repos steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -65,7 +65,7 @@ jobs: fulcio.sigstore.dev:443 tuf-repo-cdn.sigstore.dev:443 - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: persist-credentials: false - name: OSSF Analysis @@ -75,7 +75,7 @@ jobs: results_format: sarif publish_results: true # publish results to OpenSSF REST API - name: Upload Analysis Result - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml index 0ad7c49..571fc1d 100644 --- a/.github/workflows/cid-pullrequest.yml +++ b/.github/workflows/cid-pullrequest.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.24 +# cid-workflow-version: 0.0.25 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! @@ -73,6 +73,7 @@ env: uploads.github.com:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_LINT: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- api.sonarcloud.io:443 scanner.sonarcloud.io:443 @@ -86,12 +87,12 @@ jobs: # info info: name: Info - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images timeout-minutes: 30 if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -102,7 +103,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: info @@ -118,13 +119,13 @@ jobs: # build build: name: Build - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images permissions: id-token: write # provenance signing timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -135,7 +136,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: build @@ -145,7 +146,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: build-${{ github.run_id }} path: .dist @@ -155,11 +156,11 @@ jobs: # test test: name: Test - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -170,7 +171,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: test @@ -180,7 +181,41 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: test-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + # lint + lint: + name: Lint + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-telemetry: true + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_LINT }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + fetch-depth: 0 + - name: lint + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage lint + - name: upload artifacts + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: test-${{ github.run_id }} path: .dist @@ -189,14 +224,14 @@ jobs: # scan scan: name: Scan - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - needs: [build, test] + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images + needs: [build, test, lint] permissions: security-events: write timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -207,7 +242,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: download artifacts > build diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml index e192ee5..218edb8 100644 --- a/.github/workflows/cid.yml +++ b/.github/workflows/cid.yml @@ -1,4 +1,4 @@ -# cid-workflow-version: 0.0.24 +# cid-workflow-version: 0.0.25 # This file is generated by the CID Workflow GitHub App. # DO NOT EDIT! @@ -75,6 +75,7 @@ env: uploads.github.com:443 EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_LINT: "" EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- api.sonarcloud.io:443 scanner.sonarcloud.io:443 @@ -88,12 +89,12 @@ jobs: # info info: name: Info - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images timeout-minutes: 30 if: ${{ github.event.inputs.loglevel == 'debug' }} steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -104,7 +105,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: info @@ -120,13 +121,13 @@ jobs: # build build: name: Build - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images permissions: id-token: write # provenance signing timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -137,7 +138,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: build @@ -147,7 +148,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: build-${{ github.run_id }} path: .dist @@ -157,11 +158,11 @@ jobs: # test test: name: Test - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -172,7 +173,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: test @@ -182,7 +183,41 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: test-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + # lint + lint: + name: Lint + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + disable-telemetry: true + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_LINT }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + with: + fetch-depth: 0 + - name: lint + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage lint + - name: upload artifacts + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: test-${{ github.run_id }} path: .dist @@ -191,14 +226,14 @@ jobs: # scan scan: name: Scan - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - needs: [build, test] + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images + needs: [build, test, lint] permissions: security-events: write timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -209,7 +244,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: download artifacts > build @@ -238,14 +273,14 @@ jobs: # package package: name: Package - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images needs: [build] permissions: id-token: write # provenance signing timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -256,7 +291,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: download artifacts > build @@ -272,7 +307,7 @@ jobs: run: | cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: package-${{ github.run_id }} path: .dist @@ -281,7 +316,7 @@ jobs: # publish publish: name: Publish - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + runs-on: ubuntu-24.04 # https://github.com/actions/runner-images needs: [package, scan] permissions: # create release @@ -292,7 +327,7 @@ jobs: timeout-minutes: 30 steps: - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 with: disable-telemetry: true disable-sudo: true @@ -303,7 +338,7 @@ jobs: with: version: ${{ env.CID_VERSION }} - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 with: fetch-depth: 0 - name: download artifacts > package