frmscoe · scott45 · Dec 6, 2024 · Sep 2, 2024 · Sep 2, 2024 · Sep 2, 2024
@@ -43,7 +43,7 @@ jobs:
           no-fail: true
 
       - name: Upload analysis results to GitHub
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: hadolint-results.sarif
           wait-for-processing: true
@@ -51,7 +51,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
 
 
-      * name: Generate artifact attestation
+      - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}

@@ -34,7 +34,7 @@ jobs:
           sarif_file: tfsec.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: tfsec.sarif
@@ -0,0 +1,29 @@
+## Workflow Name: Benchmark CI
+
+#### Purpose:
+
+- This workflow automates the process of updating and pushing benchmark data to the main branch of a repository.
+
+#### Environment Variables:
+
+`GITHUB_TOKEN`: GitHub token for authentication.
+
+`REPO_NAME`: The repository name where benchmark data is stored.
+
+`PROCCESSOR_REPO_NAME`: The name of the repository triggering the workflow.
+
+#### Trigger Events:
+
+`On`: push to the main branch.
+
+- Runs on: ubuntu-latest
+
+#### Workflow Steps:
+
+- Clone repo: Clone the benchmark repository using the GitHub token.
+
+- Switch to temp branch: Switch to a temporary branch, stash changes, and prepare the data file for update.
+
+- Write data: Append new benchmark data from the triggering repository to the CSV file and commit the changes.
+
+- Push data: Push the updated data back to the main branch of the benchmark repository.
@@ -0,0 +1,33 @@
+## Workflow Name: Codacy Security Scan
+
+#### Purpose: 
+
+- This workflow performs security scans on the codebase using Codacy and uploads the results in SARIF format to GitHub.
+
+#### Trigger Events:
+
+`Push`: Runs on pushes to the dev and main branches.
+
+`Pull Requests`: Runs on pull requests targeting dev and main.
+
+`Scheduled`: Runs every Thursday at 00:17 UTC.
+
+#### Permissions:
+
+`contents: read`: Allows reading repository contents.
+
+`security-events`: write: Allows uploading SARIF results.
+
+`actions: read`: Required for private repositories to retrieve Action run status.
+
+- Runs on: ubuntu-latest
+
+#### Workflow Steps:
+
+- Checkout Code: Uses actions/checkout@v4 to clone the repository.
+
+- Run Codacy Analysis CLI: Executes Codacy's CLI to scan the codebase, generating a SARIF file.
+
+- Upload SARIF Results: Uploads the SARIF file to GitHub using github/codeql-action/upload-sarif@v3.
+
+- This workflow ensures that security issues in the codebase are identified and reported efficiently.
@@ -0,0 +1,36 @@
+## Workflow Name: CodeQL
+
+#### Purpose: 
+
+- This workflow automates the process of scanning code for vulnerabilities using GitHub's CodeQL analysis.
+
+#### Trigger Events:
+
+`Push`: Runs on pushes to the dev and main branches.
+
+`Pull Requests`: Runs on pull requests targeting dev and main.
+
+`Scheduled`: Runs every Thursday at 00:34 UTC.
+
+#### Permissions:
+
+`actions: read`
+
+`contents: read`
+
+`security-events: write`
+
+#### Workflow Steps:
+
+- Checkout Repository: Uses actions/checkout@v4 to clone the repository.
+
+- Initialize CodeQL: Prepares the CodeQL environment for the specified languages.
+
+- Autobuild: Automatically builds the codebase (useful for compiled languages).
+
+- Perform CodeQL Analysis: Executes the CodeQL scan and uploads results.
+
+#### Language Support:
+The workflow is configured to scan JavaScript code but can be extended to support other languages like Java, Python, Go, etc.
+
+This setup ensures that your code is continuously analyzed for security vulnerabilities and quality issues.
@@ -0,0 +1,25 @@
+## Workflow Name: PR Conventional Commit Validation
+
+#### Purpose: 
+
+- This workflow automatically validates the title of a pull request (PR) to ensure it follows conventional commit guidelines. It also applies corresponding GitHub labels based on the commit type.
+
+- Uses the ytanikin/PRConventionalCommits@1.1.0 action.
+
+- Validates the PR title against a set of predefined conventional commit types (e.g., feat, fix, docs).
+
+- Maps these types to corresponding GitHub labels and applies them to the PR.
+
+- Utilizes a GitHub token for authentication and label management.
+
+- This workflow helps enforce commit message conventions and improve PR management by automatically labeling PRs based on their titles.
+
+#### Trigger Events:
+
+`Pull Request Events`: The workflow is triggered when a pull request is opened, synchronized, reopened, or edited.
+
+#### Workflow Steps:
+
+- Checkout Code: Uses actions/checkout@v4 to check out the repository.
+
+- PR Conventional Commit Validation:
@@ -0,0 +1,25 @@
+## Workflow Name: DCO (Developer Certificate of Origin)
+
+#### Purpose: 
+
+- This workflow automatically checks whether each commit in a pull request (PR) has a "Signed-off-by" line, ensuring compliance with the Developer Certificate of Origin (DCO).
+
+- Retrieves commits between the head and base branches.
+
+- Verifies that each commit contains a "Signed-off-by" line.
+
+- Lists any non-compliant commits and fails the job if any are found.
+
+- This workflow enforces DCO compliance, ensuring that all contributions are properly signed off, indicating that the contributor agrees to the terms of the DCO.
+
+#### Trigger Events:
+
+`Pull Request`: The workflow triggers whenever a pull request event occurs (e.g., opened, updated).
+
+#### Workflow Steps:
+
+- Checkout Repository:
+
+- Set Up Environment Variables:
+
+- Check for DCO Sign-off:
@@ -0,0 +1,25 @@
+## Workflow Name: Dependency Review
+
+#### Purpose: 
+
+- This workflow automatically reviews the dependencies of a project whenever a pull request (PR) is opened or updated, ensuring that new dependencies are checked for security vulnerabilities and other issues.
+
+- This workflow helps maintain the security and stability of your project by automatically reviewing new or updated dependencies in pull requests.
+
+#### Trigger Events:
+
+`Pull Request`: The workflow runs whenever a pull request is created or updated.
+
+#### Permissions:
+
+`Contents`: read: Grants the action read-only access to the repository contents.
+
+- Runs on: ubuntu-latest
+
+#### Workflow Steps:
+
+- Checkout Repository:
+
+- Dependency Review:
+
+Uses actions/dependency-review-action@v4 to analyze the dependencies of the project and identify any potential issues.
@@ -0,0 +1,37 @@
+## Workflow Name: Hadolint
+
+#### Purpose: 
+
+- This workflow automates the linting of Dockerfiles using Hadolint and uploads the results to GitHub in SARIF format for further analysis.
+
+- This workflow ensures that Dockerfiles are automatically checked for best practices and potential issues, with results easily accessible within GitHub.
+
+#### Trigger Events:
+
+`Push`: Runs on pushes to the dev and main branches.
+
+`Pull Request`: Runs on pull requests targeting the dev branch.
+
+`Scheduled`: Runs every Sunday at 13:17 UTC.
+
+#### Permissions:
+
+`Contents: read:` Grants read-only access to the repository contents.
+
+`Security-events: write:` Allows uploading SARIF results.
+
+`Actions: read:` Required for private repositories to retrieve Action run status.
+
+- Runs on: ubuntu-latest
+
+#### Workflow Steps:
+
+- Checkout Code
+
+- Run Hadolint
+
+Generates a SARIF file with the results.
+
+- Upload Analysis Results:
+
+Uses github/codeql-action/upload-sarif@v2 to upload the SARIF file to GitHub for security analysis and code scanning.
@@ -0,0 +1,42 @@
+## Workflow Name: Publish Docker Image
+
+Purpose: 
+
+- This workflow automates the process of building, tagging, and pushing Docker images to Docker Hub whenever a new release is published.
+
+#### Trigger Events:
+
+`Release`: The workflow is triggered when a release is published.
+
+#### Jobs:
+
+- push_to_registry:
+
+- Runs on: ubuntu-latest
+
+#### Permissions:
+
+`Packages: write:` Allows pushing packages to the Docker registry.
+
+`Contents: read:` Grants read access to the repository contents.
+
+`Attestations: write:` Allows writing attestations.
+
+`ID-Token: write:` Required for generating artifact attestations.
+
+#### Workflow Steps:
+
+- Check Out the Repo:
+
+- Log in to Docker Hub:
+
+Uses docker/login-action to authenticate with Docker Hub using credentials stored in GitHub Secrets.
+
+- Extract Metadata:
+
+Uses docker/metadata-action to generate Docker image tags and labels.
+
+- Build and Push Docker Image:
+
+Uses docker/build-push-action to build the Docker image and push it to Docker Hub with the generated tags and labels.
+Generate Artifact Attestation:
@@ -0,0 +1,27 @@
+## Workflow Name: GPG Verify
+
+#### Purpose: 
+
+- This workflow automatically verifies the GPG signatures of commits in a pull request, ensuring that all commits are signed and verified as part of the code review process.
+
+- This workflow helps enforce the use of GPG-signed commits, adding an extra layer of security to the contribution process.
+
+- If any commit fails the GPG verification, the workflow fails, ensuring only verified commits are merged.
+
+#### Trigger Events:
+
+`Pull Request`: The workflow triggers whenever a pull request is opened or updated.
+
+- Runs on: ubuntu-latest
+
+#### Workflow Steps:
+
+- Checkout Repository:
+
+- Set Up Environment Variables:
+
+Captures the head and base references of the pull request and sets up necessary environment variables.
+
+- Check GPG Verification Status:
+
+Retrieves the list of commits in the pull request. For each commit, it checks the GPG verification status using GitHub's API.
@@ -0,0 +1,31 @@
+## Workflow Name: Milestone Workflow
+
+#### Purpose: 
+
+- This workflow is designed to close a specific milestone on GitHub and trigger a release workflow. It is manually triggered with a specified milestone ID.
+
+- This workflow streamlines the process of managing milestones and automates the transition to the release process.
+
+#### Trigger Events:
+
+`Workflow Dispatch`: This workflow is triggered manually with a milestoneId input.
+
+- Runs on: ubuntu-latest
+
+#### Workflow Steps:
+
+- Checkout Repository:
+
+Uses actions/checkout@v2 to clone the repository.
+
+- Set Up Environment Variables:
+
+Sets up necessary environment variables, including the GitHub token, milestone number, and GitHub API URL.
+
+- Close Milestone:
+
+Uses the GitHub API to close the specified milestone.
+
+- Trigger Release Workflow:
+
+Triggers another workflow for releasing, passing the milestone number as a payload using the peter-evans/repository-dispatch@v1 action.
@@ -0,0 +1,32 @@
+## Workflow Name: njsscan sarif
+
+#### Purpose:
+
+- This GitHub workflow is designed to run the njsscan code scanning tool and upload the results as a SARIF (Static Analysis Results Interchange Format) report to GitHub. Here's a detailed breakdown of the workflow:
+
+- This workflow ensures that every push and pull request to the dev and main branches, as well as a weekly scheduled run, triggers a security scan using njsscan. The results are then uploaded to GitHub in SARIF format, allowing the repository maintainers to review and address potential security issues.
+
+#### Trigger Events
+
+`push`:
+
+`branches: [ "dev", "main" ]`: The workflow will trigger whenever there is a push to the dev or main branches.
+
+`pull_request`:
+
+`branches: [ "dev", "main" ]`: The workflow will also trigger when a pull request is made targeting the dev or main branches.
+
+`schedule`:
+
+`cron: '17 17 * * 1'`: The workflow is scheduled to run automatically every Monday at 17:17 UTC.
+
+
+#### permissions:
+
+`contents`: read: Grants read access to the repository contents for the entire workflow.
+
+#### Workflow Steps
+
+- Checkout the code
+
+- njsscan