From e5f2b3088d8e39d85429e7a05525fc68bfbd148c Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Wed, 9 Apr 2025 13:09:48 -0400 Subject: [PATCH 1/5] update actions to use commit hash (#368) * Update GitHub Actions * Update GitHub Actions --- .github/workflows/aws-ci.yml | 4 ++-- .github/workflows/closed-issue-message.yml | 2 +- .github/workflows/handle-stale-discussions.yml | 2 +- .github/workflows/stale_issues.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/aws-ci.yml b/.github/workflows/aws-ci.yml index f35e6249..c51d7e1c 100644 --- a/.github/workflows/aws-ci.yml +++ b/.github/workflows/aws-ci.yml @@ -36,11 +36,11 @@ jobs: aws-region: us-west-2 - name: Run Tests on AWS id: codebuild - uses: aws-actions/aws-codebuild-run-build@v1 + uses: aws-actions/aws-codebuild-run-build@4d15a47425739ac2296ba5e7eee3bdd4bfbdd767 #v1.0.18 with: project-name: ${{ secrets.CI_TESTING_CODE_BUILD_PROJECT_NAME }} - name: CodeBuild Link shell: pwsh run: | $buildId = "${{ steps.codebuild.outputs.aws-build-id }}" - echo $buildId \ No newline at end of file + echo $buildId diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 3691dead..0ae039c8 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -6,7 +6,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v1 + - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 #v2 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml index 8b5bcb1f..bfa00bd8 100644 --- a/.github/workflows/handle-stale-discussions.yml +++ b/.github/workflows/handle-stale-discussions.yml @@ -13,6 +13,6 @@ jobs: discussions: write steps: - name: Stale discussions action - uses: aws-github-ops/handle-stale-discussions@v1 + uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 #v1.6 env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml index b8330628..dfda146e 100644 --- a/.github/workflows/stale_issues.yml +++ b/.github/workflows/stale_issues.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest name: Stale issue job steps: - - uses: aws-actions/stale-issue-cleanup@v6 + - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0 with: # Setting messages to an empty string will cause the automation to skip # that category From 89a159e9f18cbdc4454f00ca3137c9ff28f02f6a Mon Sep 17 00:00:00 2001 From: Phil Asmar Date: Thu, 10 Apr 2025 11:15:32 -0400 Subject: [PATCH 2/5] ci: add sync master/dev workflow --- .github/workflows/create-release-pr.yml | 10 +- .github/workflows/sync-master-dev.yml | 147 ++++++++++++++++++++++++ 2 files changed, 152 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/sync-master-dev.yml diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index d2f72f77..2e1be4e3 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -25,31 +25,31 @@ jobs: steps: # Assume an AWS Role that provides access to the Access Token - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: fetch-depth: '0' token: ${{ env.AWS_SECRET_TOKEN }} # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1 with: dotnet-version: 8.0.x # Install AutoVer to automate versioning and changelog creation - name: Install AutoVer - run: dotnet tool install --global AutoVer --version 0.0.24 + run: dotnet tool install --global AutoVer --version 0.0.25 # Set up a git user to be able to run git commands later on - name: Setup Git User run: | diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml new file mode 100644 index 00000000..eb0a3ae6 --- /dev/null +++ b/.github/workflows/sync-master-dev.yml @@ -0,0 +1,147 @@ +# This GitHub Workflow is designed to run automatically after the Release PR, which was created by the `Create Release PR` workflow, is closed. +# This workflow has 2 jobs. One will run if the `Release PR` is successfully merged, indicating that a release should go out. +# The other will run if the `Release PR` was closed and a release is not intended to go out. +name: Sync 'dev' and 'master' + +# The workflow will automatically be triggered when any PR is closed. +on: + pull_request: + types: [closed] + +permissions: + contents: write + id-token: write + +jobs: + # This job will check if the PR was successfully merged, it's source branch is `releases/next-release` and target branch is `dev`. + # This indicates that the merged PR was the `Release PR`. + # This job will synchronize `dev` and `master`, create a GitHub Release and delete the `releases/next-release` branch. + sync-dev-and-master: + name: Sync dev and master + if: | + github.event.pull_request.merged == true && + github.event.pull_request.head.ref == 'releases/next-release' && + github.event.pull_request.base.ref == 'dev' + runs-on: ubuntu-latest + steps: + # Assume an AWS Role that provides access to the Access Token + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 + with: + role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} + aws-region: us-west-2 + # Retrieve the Access Token from Secrets Manager + - name: Retrieve secret from AWS Secrets Manager + uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + with: + secret-ids: | + AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} + parse-json-secrets: true + # Checkout a full clone of the repo + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + ref: dev + fetch-depth: 0 + token: ${{ env.AWS_SECRET_TOKEN }} + # Install .NET9 which is needed for AutoVer + - name: Setup .NET 9.0 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1 + with: + dotnet-version: 9.0.x + # Install AutoVer which is needed to retrieve information about the current release. + - name: Install AutoVer + run: dotnet tool install --global AutoVer --version 0.0.25 + # Set up a git user to be able to run git commands later on + - name: Setup Git User + run: | + git config --global user.email "github-aws-sdk-dotnet-automation@amazon.com" + git config --global user.name "aws-sdk-dotnet-automation" + # Retrieve the release name which is needed for the GitHub Release + - name: Read Release Name + id: read-release-name + run: | + version=$(autover changelog --release-name) + echo "VERSION=$version" >> $GITHUB_OUTPUT + # Retrieve the tag name which is needed for the GitHub Release + - name: Read Tag Name + id: read-tag-name + run: | + tag=$(autover changelog --tag-name) + echo "TAG=$tag" >> $GITHUB_OUTPUT + # Retrieve the changelog which is needed for the GitHub Release + - name: Read Changelog + id: read-changelog + run: | + changelog=$(autover changelog --output-to-console) + echo "CHANGELOG<> "$GITHUB_OUTPUT" + # Merge dev into master in order to synchronize the 2 branches + - name: Merge dev to master + run: | + git fetch origin + git checkout master + git merge dev + git push origin master + # Create the GitHub Release + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} + run: | + gh release create "${{ steps.read-tag-name.outputs.TAG }}" --title "${{ steps.read-release-name.outputs.VERSION }}" --notes "${{ steps.read-changelog.outputs.CHANGELOG }}" + # Delete the `releases/next-release` branch + - name: Clean up + run: | + git fetch origin + if git ls-remote --exit-code --heads origin releases/next-release > /dev/null; then + echo "Branch 'releases/next-release' exists on origin. Deleting..." + git push origin --delete releases/next-release + else + echo "Branch 'releases/next-release' does not exist on origin, skipping deletion." + fi + # This job will check if the PR was closed, it's source branch is `releases/next-release` and target branch is `dev`. + # This indicates that the closed PR was the `Release PR`. + # This job will delete the tag created by AutoVer and the release branch. + clean-up-closed-release: + name: Clean up closed release + if: | + github.event.pull_request.merged == false && + github.event.pull_request.head.ref == 'releases/next-release' && + github.event.pull_request.base.ref == 'dev' + runs-on: ubuntu-latest + steps: + # Checkout a full clone of the repo + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + ref: releases/next-release + fetch-depth: 0 + # Install .NET9 which is needed for AutoVer + - name: Setup .NET 9.0 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1 + with: + dotnet-version: 9.0.x + # Install AutoVer which is needed to retrieve information about the current release. + - name: Install AutoVer + run: dotnet tool install --global AutoVer --version 0.0.25 + # Set up a git user to be able to run git commands later on + - name: Setup Git User + run: | + git config --global user.email "github-aws-sdk-dotnet-automation@amazon.com" + git config --global user.name "aws-sdk-dotnet-automation" + # Retrieve the tag name to be deleted + - name: Read Tag Name + id: read-tag-name + run: | + tag=$(autover changelog --tag-name) + echo "TAG=$tag" >> $GITHUB_OUTPUT + # Delete the tag created by AutoVer and the release branch + - name: Clean up + run: | + git fetch origin + git push --delete origin ${{ steps.read-tag-name.outputs.TAG }} + if git ls-remote --exit-code --heads origin releases/next-release > /dev/null; then + echo "Branch 'releases/next-release' exists on origin. Deleting..." + git push origin --delete releases/next-release + else + echo "Branch 'releases/next-release' does not exist on origin, skipping deletion." + fi \ No newline at end of file From e7e6738c89f39856b5a0a861ce5a51f94b5eb6d4 Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Tue, 29 Apr 2025 12:53:19 -0400 Subject: [PATCH 3/5] Add dependabot configuration (#373) --- .github/dependabot.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..b76d5c8a --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# Set update schedule for GitHub Actions + +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week + interval: "weekly" + labels: + - "Release Not Needed" + target-branch: "dev" \ No newline at end of file From f04e617ed42b1eba1d3608cc1e3bc66ddcb00398 Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Wed, 7 May 2025 17:37:24 -0400 Subject: [PATCH 4/5] Add Semgrep security scanning workflow (#376) * Add Semgrep security scanning workflow * Update semgrep-analysis.yml --- .github/workflows/semgrep-analysis.yml | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/semgrep-analysis.yml diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml new file mode 100644 index 00000000..aeecb956 --- /dev/null +++ b/.github/workflows/semgrep-analysis.yml @@ -0,0 +1,41 @@ +name: Semgrep + +on: + # Scan changed files in PRs, block on new issues only (existing issues ignored) + pull_request: + + push: + branches: ["dev", "master"] + + schedule: + - cron: '23 20 * * 1' + + # Manually trigger the workflow + workflow_dispatch: + +jobs: + semgrep: + name: Scan + permissions: + security-events: write + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + # Skip any PR created by dependabot to avoid permission issues + if: (github.actor != 'dependabot[bot]') + steps: + # Fetch project source + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + + - run: semgrep ci --sarif > semgrep.sarif + env: + SEMGREP_RULES: >- # more at semgrep.dev/explore + p/security-audit + p/secrets + p/owasp-top-ten + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 + with: + sarif_file: semgrep.sarif + if: always() From e93f6e9602729d3f630cac4debea92478d9734da Mon Sep 17 00:00:00 2001 From: Ashish Dhingra <67916761+ashishdhingra@users.noreply.github.com> Date: Thu, 5 Jun 2025 11:18:28 -0700 Subject: [PATCH 5/5] chore: Pinned to v1.6.0 of aws-github-ops/handle-stale-discussions so that closed GitHub discussions are not auto-reopened. (#377) --- .github/workflows/handle-stale-discussions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml index bfa00bd8..25a70559 100644 --- a/.github/workflows/handle-stale-discussions.yml +++ b/.github/workflows/handle-stale-discussions.yml @@ -13,6 +13,6 @@ jobs: discussions: write steps: - name: Stale discussions action - uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 #v1.6 + uses: aws-github-ops/handle-stale-discussions@c0beee451a5d33d9c8f048a6d4e7c856b5422544 #v1.6.0 env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}