diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8d85c580c..b5ec0a172 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -51,4 +51,6 @@ updates: schedule: interval: "daily" target-branch: "master" - labels: ["dependencies", "github-actions"] \ No newline at end of file + labels: ["dependencies", "github-actions"] + cooldown: + default-days: 7 \ No newline at end of file diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 1485659a2..4dff90c0f 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -6,20 +6,20 @@ jobs: test_deployments: runs-on: ubuntu-latest steps: - - name: Checkout Scripts - uses: actions/checkout@v2 + - name: Checkout Scripts + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Test Pull Request Deployments - env: - AZURE_TOKEN: "${{ secrets.AZURE_TOKEN }}" - AZ_CLIENT_ID: "${{ secrets.AZ_CLIENT_ID }}" - AZ_CLIENT_SECRET: "${{ secrets.AZ_CLIENT_SECRET }}" - AZ_CLIENT_TENANT: "${{ secrets.AZ_CLIENT_TENANT }}" - run: | - export BRANCH_NAME="${{ github.event.pull_request.head.ref }}" - export NOTIFY_COMMIT_SHA="${{ github.event.pull_request.head.sha }}" - export UTILS_PR_NUMBER="${{ github.event.pull_request.number }}" - echo UTILS_PR_NUMBER=${UTILS_PR_NUMBER} - echo BRANCH_NAME=${BRANCH_NAME} - echo NOTIFY_COMMIT_SHA=${NOTIFY_COMMIT_SHA} - python3 scripts/test_pull_request_deployments.py + - name: Test Pull Request Deployments + env: + AZURE_TOKEN: "${{ secrets.AZURE_TOKEN }}" + AZ_CLIENT_ID: "${{ secrets.AZ_CLIENT_ID }}" + AZ_CLIENT_SECRET: "${{ secrets.AZ_CLIENT_SECRET }}" + AZ_CLIENT_TENANT: "${{ secrets.AZ_CLIENT_TENANT }}" + run: | + export BRANCH_NAME="${{ github.event.pull_request.head.ref }}" + export NOTIFY_COMMIT_SHA="${{ github.event.pull_request.head.sha }}" + export UTILS_PR_NUMBER="${{ github.event.pull_request.number }}" + echo UTILS_PR_NUMBER=${UTILS_PR_NUMBER} + echo BRANCH_NAME=${BRANCH_NAME} + echo NOTIFY_COMMIT_SHA=${NOTIFY_COMMIT_SHA} + python3 scripts/test_pull_request_deployments.py diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 5db4df625..9cd7b9547 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Fetch Dependabot metadata id: meta - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} @@ -34,4 +34,4 @@ jobs: run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d1684754c..917c27282 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -3,49 +3,49 @@ name: Publish / Calculate Version on: push jobs: - build: - name: calculate version - runs-on: ubuntu-22.04 - steps: - - name: Checkout - uses: actions/checkout@v2 - with: - fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function - - - name: Install Python 3.13 - uses: actions/setup-python@v5 - with: - python-version: 3.13 - - - name: Install poetry - run: pip install poetry - - - name: Cache poetry packages - uses: actions/cache@v4 - id: cache - with: - path: ~/.venv - key: ${{ runner.os }}-utils-venv-${{ hashFiles('**/poetry.lock') }} - - - name: Install - run: poetry install - if: steps.cache.outputs.cache-hit != 'true' - - - name: Set SPEC_VERSION env var - run: | - version="$(poetry run python scripts/calculate_version.py)" - echo "${version}" - echo ::set-env name=SPEC_VERSION::${version} - env: - ACTIONS_ALLOW_UNSECURE_COMMANDS: true - - - name: Create release (master only) - id: create-release - if: github.ref == 'refs/heads/master' - uses: actions/create-release@v1 - continue-on-error: true - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ env.SPEC_VERSION }} - release_name: ${{ env.SPEC_VERSION }} + build: + name: calculate version + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 # This causes all history to be fetched, which is required for calculate-version to function + + - name: Install Python 3.13 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + with: + python-version: 3.13 + + - name: Install poetry + run: pip install poetry + + - name: Cache poetry packages + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 + id: cache + with: + path: ~/.venv + key: ${{ runner.os }}-utils-venv-${{ hashFiles('**/poetry.lock') }} + + - name: Install + run: poetry install + if: steps.cache.outputs.cache-hit != 'true' + + - name: Set SPEC_VERSION env var + run: | + version="$(poetry run python scripts/calculate_version.py)" + echo "${version}" + echo ::set-env name=SPEC_VERSION::${version} + env: + ACTIONS_ALLOW_UNSECURE_COMMANDS: true + + - name: Create release (master only) + id: create-release + if: github.ref == 'refs/heads/master' + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ env.SPEC_VERSION }} + release_name: ${{ env.SPEC_VERSION }} diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml index 7b57a5db7..341a437e0 100644 --- a/.github/workflows/sbom.yml +++ b/.github/workflows/sbom.yml @@ -24,10 +24,10 @@ jobs: contents: write steps: - name: Checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Python 3.13 - uses: actions/setup-python@v5 + uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 with: python-version: "3.13" @@ -56,7 +56,7 @@ jobs: chmod +x syft # Add to PATH for subsequent steps - echo "$(pwd)" >> $GITHUB_PATH + echo "$(pwd)" >> $GITHUB_PATH - name: Create SBOM run: bash scripts/create-sbom.sh terraform python tflint @@ -69,7 +69,7 @@ jobs: python .github/scripts/sbom_json_to_csv.py sbom.json SBOM_${REPO_NAME}.csv - name: Upload SBOM CSV as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-csv path: SBOM_${{ github.event.repository.name }}.csv @@ -81,8 +81,6 @@ jobs: - name: Scan SBOM for Vulnerabilities (JSON) run: | grype sbom:sbom.json -o json > grype-report.json - - - name: Convert Grype JSON to CSV run: | @@ -90,9 +88,8 @@ jobs: REPO_NAME=$(basename $GITHUB_REPOSITORY) python .github/scripts/grype_json_to_csv.py grype-report.json grype-report-${REPO_NAME}.csv - - name: Upload Vulnerability Report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: grype-report path: grype-report-${{ github.event.repository.name }}.csv @@ -104,7 +101,7 @@ jobs: python .github/scripts/sbom_packages_to_csv.py sbom.json $REPO_NAME - name: Upload Package Inventory CSV - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: sbom-packages - path: sbom-packages-${{ github.event.repository.name }}.csv \ No newline at end of file + path: sbom-packages-${{ github.event.repository.name }}.csv