From 52e9adaef566ea901094b4bb4da4fb3dc5d5cfcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rodrigo=20Laiola=20Guimar=C3=A3es?= Date: Thu, 28 Sep 2023 10:23:02 -0300 Subject: [PATCH] Add actions --- .github/dependabot.yml | 3 +- .github/super-linter.env | 4 + .github/workflows/close-stale.yml | 56 +++++++++++++ .github/workflows/code-linting.yml | 51 ------------ .github/workflows/code-scanning.yml | 83 ------------------- .github/workflows/lint-files.yml | 88 ++++++++++++++++++++ .github/workflows/scan-code.yml | 123 ++++++++++++++++++++++++++++ 7 files changed, 273 insertions(+), 135 deletions(-) create mode 100644 .github/super-linter.env create mode 100644 .github/workflows/close-stale.yml delete mode 100644 .github/workflows/code-linting.yml delete mode 100644 .github/workflows/code-scanning.yml create mode 100644 .github/workflows/lint-files.yml create mode 100644 .github/workflows/scan-code.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index d8742c57..f1a50e09 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,3 +1,4 @@ +--- # Set update schedule for GitHub Actions version: 2 @@ -7,4 +8,4 @@ updates: directory: "/" schedule: # Check for updates to GitHub Actions every weekday - interval: "daily" + interval: "daily" \ No newline at end of file diff --git a/.github/super-linter.env b/.github/super-linter.env new file mode 100644 index 00000000..aa0c758f --- /dev/null +++ b/.github/super-linter.env @@ -0,0 +1,4 @@ +VALIDATE_ALL_CODEBASE=false +VALIDATE_MARKDOWN=true +VALIDATE_YAML=true +VALIDATE_JAVASCRIPT_ES=true \ No newline at end of file diff --git a/.github/workflows/close-stale.yml b/.github/workflows/close-stale.yml new file mode 100644 index 00000000..1dde87ca --- /dev/null +++ b/.github/workflows/close-stale.yml @@ -0,0 +1,56 @@ +--- +name: Close stale issues and PRs + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub Actions Documentation +# https://docs.github.com/en/github-ae@latest/actions + +on: + schedule: + # Run daily at 6:30 PM UTC + - cron: '30 18 * * *' + # or on button click + workflow_dispatch: + +env: + ISSUE_WARN_MESSAGE: > + This issue is stale because it has been open 90 days with no activity. + Remove stale label or comment or this will be closed in 7 days. + + PR_WARN_MESSAGE: > + This PR is stale because it has been open 45 days with no activity. + + ISSUE_CLOSE_MESSAGE: > + This issue was closed because it has been stalled for 7 days with no + activity. Feel free to reopen if this issue is still relevant, or to ping + the collaborator who labelled it stalled if you have any questions. + +jobs: + stale: + runs-on: ubuntu-latest + permissions: + # https://github.com/actions/stale#recommended-permissions + issues: write + pull-requests: write + + steps: + # Close Stale Issues and PRs + # https://github.com/actions/stale + - + uses: actions/stale@v8 + with: + # Run the stale workflow as dry-run (no actions will be taken) + # debug-only: true + stale-issue-label: stale + stale-issue-message: ${{ env.ISSUE_WARN_MESSAGE }} + stale-pr-message: ${{ env.PR_WARN_MESSAGE }} + close-issue-message: ${{ env.ISSUE_CLOSE_MESSAGE }} + days-before-stale: 90 + days-before-pr-stale: 45 + days-before-close: 7 + # Never close a PR + days-before-pr-close: -1 diff --git a/.github/workflows/code-linting.yml b/.github/workflows/code-linting.yml deleted file mode 100644 index 6a784ddb..00000000 --- a/.github/workflows/code-linting.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow may use actions that are not certified by GitHub. -# They may be provided by a third-party and be governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Lint code base - -on: - # Run on pushes - push: - # Remove the line to run when pushing to main - branches-ignore: ["main"] - # on PRs - pull_request: - branches: ["main"] - # or on button click - workflow_dispatch: - -jobs: - analyze: - runs-on: ubuntu-latest - - steps: - - # Checkout a repository under $GITHUB_WORKSPACE, so the workflow can access it. - # https://github.com/marketplace/actions/checkout - - - name: Checkout repository - uses: actions/checkout@v4.1.0 - with: - # Repository name with owner. For example, actions/checkout. - # Default: ${{ github.repository }} - repository: '${{ github.repository }}' - # The branch, tag or SHA to checkout. When checking out the repository that - # triggered a workflow, this defaults to the reference or SHA for that event. - # Otherwise, uses the default branch. - ref: 'main' - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - # Run a Super-Linter against code base - # https://github.com/marketplace/actions/super-linter - - - name: Lint repo code - uses: github/super-linter@v5 - env: - VALIDATE_ALL_CODEBASE: false - VALIDATE_JAVASCRIPT_ES: true - # Change to 'master' if your main branch differs - DEFAULT_BRANCH: main - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml deleted file mode 100644 index 02712883..00000000 --- a/.github/workflows/code-scanning.yml +++ /dev/null @@ -1,83 +0,0 @@ -# This workflow may use actions that are not certified by GitHub. -# They may be provided by a third-party and be governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Code scanning - -on: - # Run on pushes - push: - # Remove the line to run when pushing to main - branches-ignore: ["main"] - # on PRs - pull_request: - branches: ["main"] - # or on button click - workflow_dispatch: - -jobs: - analyze: - permissions: - actions: read - contents: read - security-events: write - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - # Checkout a repository under $GITHUB_WORKSPACE, so the workflow can access it. - # https://github.com/marketplace/actions/checkout - - - name: Checkout repository - uses: actions/checkout@v4.1.0 - with: - # Repository name with owner. For example, actions/checkout. - # Default: ${{ github.repository }} - repository: '${{ github.repository }}' - # The branch, tag or SHA to checkout. When checking out the repository that - # triggered a workflow, this defaults to the reference or SHA for that event. - # Otherwise, uses the default branch. - ref: 'main' - - # Initialize the CodeQL tools for scanning. - # https://github.com/github/codeql-action - - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - - name: Autobuild - uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - - # run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/lint-files.yml b/.github/workflows/lint-files.yml new file mode 100644 index 00000000..6a8b9527 --- /dev/null +++ b/.github/workflows/lint-files.yml @@ -0,0 +1,88 @@ +--- +name: Lint code base + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub Actions Documentation +# https://docs.github.com/en/github-ae@latest/actions + +on: + # Run on all pushes (except on master/main branch) + push: + branches-ignore: [master, main] + # Remove the line above to run when pushing to master + # PRs on master/main branch + pull_request: + branches: [master, main] + # or on button click + workflow_dispatch: + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputs + inputs: + ref: + # The branch, tag or SHA to checkout for linting. If empty, check out + # the repository that triggered the workflow. + description: | + The branch, tag or SHA to checkout (empty for current branch) + required: false + type: string + # or on calling as reusable workflow + workflow_call: + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callinputs + inputs: + ref: + # The branch, tag or SHA to checkout for linting. If empty, check out + # the repository that triggered the workflow. + description: | + The branch, tag or SHA to checkout (empty for current branch) + required: false + type: string + +jobs: + lint: + name: Lint code base + runs-on: ubuntu-latest + # Grant status permission for MULTI_STATUS + permissions: + contents: read + packages: read + statuses: write + + steps: + # Checkout a repository, so the workflow can access it + # https://github.com/actions/checkout + - + name: Checkout repository (no ref input) + uses: actions/checkout@v4 + if: ${{ inputs.ref == '' }} + with: + # Full git history is needed to get a proper + # list of changed files within `super-linter` + fetch-depth: 0 + + - + name: Checkout repository (with ref input) + uses: actions/checkout@v4 + if: ${{ inputs.ref != '' }} + with: + ref: '${{ inputs.ref }}' + # Full git history is needed to get a proper + # list of changed files within `super-linter` + fetch-depth: 0 + + # Load environment variables before running the GitHub Actions job + # https://github.com/super-linter/super-linter/blob/main/docs/run-linter-locally.md + - + run: cat .github/super-linter.env >> "$GITHUB_ENV" + + # Run Linter against code base + # https://github.com/super-linter/super-linter + - + name: Run Super-Linter on code base + #uses: github/super-linter@v5 + uses: super-linter/super-linter/slim@v5 + env: + DEFAULT_BRANCH: main + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scan-code.yml b/.github/workflows/scan-code.yml new file mode 100644 index 00000000..3e3b7c24 --- /dev/null +++ b/.github/workflows/scan-code.yml @@ -0,0 +1,123 @@ +--- +name: Security scan of code base + +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# GitHub Actions Documentation +# https://docs.github.com/en/github-ae@latest/actions + +on: + # Run on all pushes (except on master/main branch) + push: + branches-ignore: [master, main] + # Remove the line above to run when pushing to master + # PRs on master/main branch + pull_request: + branches: [master, main] + # on button click + workflow_dispatch: + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_dispatchinputs + inputs: + ref: + # The branch, tag or SHA to checkout for linting. If empty, check out + # the repository that triggered the workflow. + description: | + The branch, tag or SHA to checkout (empty for current branch) + required: false + type: string + # or on calling as reusable workflow + workflow_call: + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onworkflow_callinputs + inputs: + ref: + # The branch, tag or SHA to checkout for linting. If empty, check out + # the repository that triggered the workflow. + description: | + The branch, tag or SHA to checkout (empty for current branch) + required: false + type: string + +jobs: + scan: + name: Scan code base + runs-on: ubuntu-latest + # Grant permissions + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ['javascript'] + # CodeQL also supports ['cpp','csharp','go','java','python','ruby'] + # Learn more about CodeQL language support at + # https://aka.ms/codeql-docs/language-support + + steps: + # Checkout a repository, so the workflow can access it + # https://github.com/actions/checkout + - + name: Checkout repository (no ref input) + uses: actions/checkout@v4 + if: ${{ inputs.ref == '' }} + with: + # Only a single commit is fetched by default, for the ref/SHA that + # triggered the workflow. Set fetch-depth: 0 to fetch all history + # for all branches and tags. + fetch-depth: 0 + + - + name: Checkout repository (with ref input) + uses: actions/checkout@v4 + if: ${{ inputs.ref != '' }} + with: + ref: '${{ inputs.ref }}' + # Only a single commit is fetched by default, for the ref/SHA that + # triggered the workflow. Set fetch-depth: 0 to fetch all history + # for all branches and tags. + fetch-depth: 0 + + # Initialize the CodeQL tools for scanning + # https://github.com/github/codeql-action + - + name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a + # config file. By default, queries listed here will override any + # specified in a config file. Prefix the list here with "+" to use + # these queries and those in the config file. + + # Details on CodeQL's query packs refer to: + # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, or + # Java). If this step fails, then you should remove it and run the build + # manually (see below). + - + name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell + # 📚 See + # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following + # three lines. Modify them (or add more) to build your code if your + # project, please refer to the EXAMPLE below for guidance. + + # - + # run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - + name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2