Skip to content

Commit 129a993

Browse files
authored
Merge branch 'advanced-security:main' into main
2 parents a6389b6 + c7ea0ea commit 129a993

20 files changed

+105
-88
lines changed
Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,20 @@
11
name: "CodeQL Analysis"
22

33
on:
4+
# Makes the workflow reusable / callable from other workflows
45
workflow_call:
6+
workflow_dispatch:
57

68
jobs:
79
create-matrix:
810
runs-on: ubuntu-latest
11+
permissions:
12+
contents: read
913
outputs:
1014
matrix: ${{ steps.set-matrix.outputs.languages }}
1115
steps:
16+
# This step gets the languages for the repository and creates a supported
17+
# CodeQL language list that gets passed into the analyze step
1218
- name: Get languages from repo
1319
id: set-matrix
1420
uses: advanced-security/set-codeql-language-matrix@v1
@@ -18,6 +24,7 @@ jobs:
1824

1925
analyze:
2026
needs: create-matrix
27+
# Check if there are no CodeQL supported languages
2128
if: ${{ needs.create-matrix.outputs.matrix != '[]' }}
2229
name: Analyze
2330
runs-on: ubuntu-latest
@@ -28,24 +35,25 @@ jobs:
2835

2936
strategy:
3037
fail-fast: false
31-
matrix:
38+
matrix:
39+
# Create a matrix build for all supported languages
3240
language: ${{ fromJSON(needs.create-matrix.outputs.matrix) }}
3341

3442
steps:
3543
- name: Checkout repository
36-
uses: actions/checkout@v4
44+
uses: actions/checkout@v6
3745

3846
# Initializes the CodeQL tools for scanning.
3947
- name: Initialize CodeQL
40-
uses: github/codeql-action/init@v3
48+
uses: github/codeql-action/init@v4
4149
with:
4250
languages: ${{ matrix.language }}
4351

4452
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
4553
- name: Autobuild
46-
uses: github/codeql-action/autobuild@v3
54+
uses: github/codeql-action/autobuild@v4
4755

4856
- name: Perform CodeQL Analysis
49-
uses: github/codeql-action/analyze@v3
57+
uses: github/codeql-action/analyze@v4
5058
with:
5159
category: "/language:${{matrix.language}}"

.github/workflows/codeql-iac.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,13 @@ jobs:
1414

1515
steps:
1616
- name: Checkout repository
17-
uses: actions/checkout@v4
17+
uses: actions/checkout@v6
1818

1919
- name: Initialize and Analyze IaC
2020
id: codeql_iac
2121
uses: advanced-security/codeql-extractor-iac@main
2222

2323
- name: Upload SARIF file
24-
uses: github/codeql-action/upload-sarif@v3
24+
uses: github/codeql-action/upload-sarif@v4
2525
with:
2626
sarif_file: ${{ steps.codeql_iac.outputs.sarif }}

.github/workflows/codeql-packs.yml

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -17,10 +17,12 @@ jobs:
1717
steps:
1818
- name: "Set Matrix"
1919
id: set-matrix
20-
uses: actions/github-script@v7
20+
uses: actions/github-script@v8
21+
env:
22+
INPUTS_PACKS: ${{ inputs.packs }}
2123
with:
2224
script: |
23-
const packs = '${{ inputs.packs }}'.split(',');
25+
const packs = process.env.INPUTS_PACKS.split(',');
2426
packs.forEach((pack, index) => {
2527
if (pack.endsWith('qlpack.yml')) {
2628
packs[index] = pack.slice(0, -10);
@@ -42,24 +44,24 @@ jobs:
4244

4345
steps:
4446
- name: Checkout repository
45-
uses: actions/checkout@v4
47+
uses: actions/checkout@v6
4648

4749
- name: "Build and Publish CodeQL Packs"
4850
env:
4951
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
52+
PACKS: ${{ matrix.packs }}
53+
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
5054
run: |
51-
PACK_PATH="${{ matrix.packs }}/qlpack.yml"
55+
PACK_PATH="${PACKS}/qlpack.yml"
5256
CURRENT_VERSION=$(grep version $PACK_PATH | awk '{print $2}')
5357
PACK_FULLNAME=$(cat $PACK_PATH | grep "name:" | awk '{print $2}')
5458
PACK_NAME=$(echo $PACK_FULLNAME | awk -F '/' '{print $2}')
5559
56-
PUBLISHED_VERSION=$(gh api /orgs/${{ github.repository_owner }}/packages/container/$PACK_NAME/versions --jq '.[0].metadata.container.tags[0]')
60+
PUBLISHED_VERSION=$(gh api /orgs/"$GITHUB_REPOSITORY_OWNER"/packages/container/"$PACK_NAME"/versions --jq '.[0].metadata.container.tags[0]')
5761
echo "Packs :: ${CURRENT_VERSION} -> ${PUBLISHED_VERSION}"
5862
5963
if [ "$PUBLISHED_VERSION" != "$CURRENT_VERSION" ]; then
6064
gh extension install github/gh-codeql
61-
gh codeql pack install "${{ matrix.packs }}"
62-
gh codeql pack publish "${{ matrix.packs }}"
65+
gh codeql pack install "$PACKS"
66+
gh codeql pack publish "$PACKS"
6367
fi
64-
65-

.github/workflows/codeql-ql.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -18,16 +18,16 @@ jobs:
1818

1919
steps:
2020
- name: "Checkout repository"
21-
uses: actions/checkout@v4
21+
uses: actions/checkout@v6
2222

2323
- name: "Set up Rust"
24-
uses: dtolnay/rust-toolchain@56f84321dbccf38fb67ce29ab63e4754056677e0 # v1.85.1
24+
uses: dtolnay/rust-toolchain@f7ccc83f9ed1e5b9c81d8a67d7ad1a747e22a561 # v1.85.1
2525
with:
2626
toolchain: stable
2727

2828
- name: "Restore cached Cargo"
2929
id: cache-restore
30-
uses: actions/cache/restore@v4
30+
uses: actions/cache/restore@v5
3131
with:
3232
path: |
3333
~/.cargo/bin/
@@ -111,15 +111,15 @@ jobs:
111111
mv updated_sarif.sarif ${{ steps.run_ql.outputs.sarif }}
112112
113113
- name: Upload SARIF file
114-
uses: github/codeql-action/upload-sarif@v3
114+
uses: github/codeql-action/upload-sarif@v4
115115
with:
116116
sarif_file: ${{ steps.run_ql.outputs.sarif }}
117117
category: "/codeql:ql"
118118

119119
- name: Save Cargo / Rust Cache
120120
id: cache-save
121121
if: ${{ github.event_name == 'push' }}
122-
uses: actions/cache/save@v4
122+
uses: actions/cache/save@v5
123123
with:
124124
path: |
125125
~/.cargo/bin/

.github/workflows/container-publish.yml

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -45,20 +45,20 @@ jobs:
4545

4646
steps:
4747
- name: Checkout repository
48-
uses: actions/checkout@v4
48+
uses: actions/checkout@v6
4949

5050
- name: Set up Docker Buildx
51-
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
51+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
5252

5353
- name: Log in to the Container registry
54-
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
54+
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
5555
with:
5656
registry: ${{ env.REGISTRY }}
5757
username: ${{ github.actor }}
5858
password: ${{ secrets.GITHUB_TOKEN }}
5959

6060
- name: Set Container Metadata
61-
uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
61+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
6262
id: meta
6363
with:
6464
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -72,7 +72,7 @@ jobs:
7272
type=semver,pattern=v{{major}}.{{minor}},value=${{ inputs.version }}
7373
7474
- name: Build & Publish Container ${{ env.IMAGE_NAME }}
75-
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
75+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
7676
id: build
7777
with:
7878
file: "${{ inputs.container-file }}"
@@ -85,20 +85,20 @@ jobs:
8585

8686
# Upload Software Bill of Materials (SBOM) to GitHub
8787
- name: Upload SBOM
88-
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1
88+
uses: advanced-security/spdx-dependency-submission-action@f957edbb35161c1f9e33f61026fc86a671c58cae # v0.1.2
8989
with:
9090
filePath: '.'
9191
filePattern: '*.spdx.json'
9292

9393
# Build provenance attestations
9494
- name: Attest Container Image
95-
uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
95+
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
9696
with:
9797
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
9898
subject-digest: ${{ steps.build.outputs.digest }}
9999
push-to-registry: true
100100

101101
# - name: Attest Container SBOM
102-
# uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
102+
# uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
103103
# with:
104104
# subject-path:: '*.spdx.json'

.github/workflows/container-security.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,13 @@ jobs:
4040

4141
steps:
4242
- name: Checkout repository
43-
uses: actions/checkout@v4
43+
uses: actions/checkout@v6
4444

4545
- name: Set up Docker Buildx
46-
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
46+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
4747

4848
- name: Build Initial Container
49-
uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
49+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
5050
id: build
5151
with:
5252
file: "${{ inputs.container-file }}"
@@ -57,20 +57,20 @@ jobs:
5757

5858
# Scan the image for vulnerabilities
5959
- name: Run the Anchore / Grype scan action
60-
uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
60+
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1
6161
id: scan
6262
with:
6363
image: localbuild/testimage:latest
6464
only-fixed: true
6565
fail-build: ${{ inputs.scanning-block }}
6666

6767
- name: Upload SARIF artifact
68-
uses: actions/upload-artifact@v4
68+
uses: actions/upload-artifact@v6
6969
with:
7070
name: sarif
7171
path: ${{ steps.scan.outputs.sarif }}
7272

7373
- name: Upload vulnerability report
74-
uses: github/codeql-action/upload-sarif@v3
74+
uses: github/codeql-action/upload-sarif@v4
7575
with:
7676
sarif_file: ${{ steps.scan.outputs.sarif }}

.github/workflows/container.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@ jobs:
6363

6464
steps:
6565
- name: "Checkout"
66-
uses: actions/checkout@v4
66+
uses: actions/checkout@v6
6767
- name: "Get and Set version"
6868
id: set-version
6969
env:

.github/workflows/dependency-review.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-latest
2020
steps:
2121
- name: 'Checkout Repository'
22-
uses: actions/checkout@v4
22+
uses: actions/checkout@v6
2323

2424
# [optional] This setup isn't required but if your repository have a configuration,
2525
# we use that versus the centralised config.

.github/workflows/labeler.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
runs-on: ubuntu-latest
1919
steps:
2020
- name: Checkout
21-
uses: actions/checkout@v4
21+
uses: actions/checkout@v6
2222

2323
# Check if the .github/labeler.yml file exists
2424
- name: Check for labeler configuration
@@ -46,7 +46,7 @@ jobs:
4646
4747
fi
4848
49-
- uses: "actions/labeler@v5"
49+
- uses: "actions/labeler@v6"
5050
with:
5151
repo-token: "${{ secrets.GITHUB_TOKEN }}"
5252
configuration-path: "${{ steps.labeler-config.outputs.config }}"
Lines changed: 11 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,23 @@
11
name: Language Detection and Assignment
22

33
on:
4-
pull_request:
5-
branches: [main]
6-
4+
workflow_call:
5+
permissions:
6+
pull-requests: write
77
env:
8-
GH_TOKEN: ${{ secrets.GH_AP_TOKEN }}
8+
GH_TOKEN: ${{ github.token }}
9+
GITHUB_EVENT_NUMBER: ${{ github.event.number }}
910
jobs:
1011
detect-and-assign:
1112
runs-on: ubuntu-latest
1213
steps:
1314
- name: Checkout code
14-
uses: actions/checkout@v4
15+
uses: actions/checkout@v6
1516

1617
- name: Detect languages
1718
id: detect-languages
1819
run: |
19-
FILES=$(gh pr diff --name-only ${{ github.event.number }} | sed 's/.*\.//')
20+
FILES=$(gh pr diff --name-only "$GITHUB_EVENT_NUMBER" | sed 's/.*\.//')
2021
echo "java=$(echo $FILES | grep -q "java" && echo true || echo false)" >> $GITHUB_OUTPUT
2122
echo "kotlin=$(echo $FILES | grep -q "kt" && echo true || echo false)" >> $GITHUB_OUTPUT
2223
echo "javascript=$(echo $FILES | grep -E "(js|jsx)" && echo true || echo false)" >> $GITHUB_OUTPUT
@@ -30,19 +31,19 @@ jobs:
3031
- name: Assign for Java, Kotlin, JavaScript, TypeScript, Go
3132
if: steps.detect-languages.outputs.java == 'true' || steps.detect-languages.outputs.kotlin == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.go == 'true'
3233
run: |
33-
gh pr edit ${{ github.event.number }} --add-reviewer adrienpessu
34+
gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer adrienpessu
3435
3536
- name: Assign for Python, Go, CodeQL, Rust
3637
if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.go == 'true' || steps.detect-languages.outputs.codeql == 'true' || steps.detect-languages.outputs.rust == 'true'
3738
run: |
38-
gh pr edit ${{ github.event.number }} --add-reviewer Geekmasher
39+
gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer felickz
3940
4041
- name: Assign for Python, JavaScript, TypeScript, CodeQL
4142
if: steps.detect-languages.outputs.python == 'true' || steps.detect-languages.outputs.javascript == 'true' || steps.detect-languages.outputs.typescript == 'true' || steps.detect-languages.outputs.codeql == 'true'
4243
run: |
43-
gh pr edit ${{ github.event.number }} --add-reviewer felickz
44+
gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer felickz
4445
4546
- name: Assign default
4647
if: steps.detect-languages.outputs.java != 'true' && steps.detect-languages.outputs.kotlin != 'true' && steps.detect-languages.outputs.javascript != 'true' && steps.detect-languages.outputs.typescript != 'true' && steps.detect-languages.outputs.go != 'true' && steps.detect-languages.outputs.codeql != 'true' && steps.detect-languages.outputs.python != 'true'
4748
run: |
48-
gh pr edit ${{ github.event.number }} --add-reviewer felickz --add-reviewer Geekmasher --add-reviewer adrienpessu
49+
gh pr edit "$GITHUB_EVENT_NUMBER" --add-reviewer felickz --add-reviewer adrienpessu --repo "$GITHUB_REPOSITORY"

0 commit comments

Comments
 (0)