Merge f7bd08f into 13f669f

.github/workflows/megalinter.yml

@@ -0,0 +1,99 @@
+---
+name: MegaLinter
+
+# yamllint disable-line rule:truthy
+on:
+  # Triggers mega-linter when a pull_request event's activity type is opened, synchronize, or reopened by default.
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+env:
+  # Comment env block if you do not want to apply fixes
+  # Apply linter fixes configuration
+  APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
+  APPLY_FIXES_EVENT: all # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all)
+  APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request)
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: MegaLinter
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+      # Git Checkout
+      - name: Checkout Code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          fetch-depth: 0
+
+      # MegaLinter
+      - name: MegaLinter
+        id: ml
+        uses: oxsecurity/megalinter/flavors/javascript@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 # pin@v7.13.0
+        env:
+          VALIDATE_ALL_CODEBASE: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Upload MegaLinter artifacts
+      - name: Archive production artifacts
+        if: always()
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # pin@v3
+        with:
+          name: MegaLinter reports
+          path: |
+            megalinter-reports
+            megalinter-reports/megalinter.log
+
+      # Create pull request if applicable (for now works only on PR from same repository, not from forks)
+      - name: Create Pull Request with applied fixes
+        id: cpr
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+        uses: peter-evans/create-pull-request@4e1beaa7521e8b457b572c090b25bd3db56bf1c5 # pin@v5
+        with:
+          token: ${{ secrets.PAT || secrets.GITHUB_TOKEN }}
+          commit-message: "[MegaLinter] Apply linters automatic fixes"
+          title: "[MegaLinter] Apply linters automatic fixes"
+          labels: bot
+      - name: Create PR output
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'pull_request' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+        run: |
+          echo "Pull Request Number - ${{ steps.cpr.outputs.pull-request-number }}"
+          echo "Pull Request URL - ${{ steps.cpr.outputs.pull-request-url }}"
+
+      # Push new commit if applicable (for now works only on PR from same repository, not from forks)
+      - name: Prepare commit
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+        run: sudo chown -Rc $UID .git/
+      - name: Commit and push applied linter fixes
+        if: steps.ml.outputs.has_updated_sources == 1 && (env.APPLY_FIXES_EVENT == 'all' || env.APPLY_FIXES_EVENT == github.event_name) && env.APPLY_FIXES_MODE == 'commit' && github.ref != 'refs/heads/main' && (github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository)
+        uses: stefanzweifel/git-auto-commit-action@8621497c8c39c72f3e2a999a26b4ca1b5058a842 # pin@v5
+        with:
+          branch: ${{ github.event.pull_request.head.ref || github.head_ref || github.ref }}
+          commit_message: "[MegaLinter] Apply linters fixes"
+          commit_user_name: megalinter-bot
+          commit_user_email: nicolas.vuillamy@ox.security
+
+      - name: Check to see if the SARIF a was generated
+        id: sarif_file_exists
+        uses: andstor/file-existence-action@20b4d2e596410855db8f9ca21e96fbe18e12930b # pin@v2
+        with:
+          files: "megalinter-reports/megalinter-report.sarif"
+
+      - name: Upload MegaLinter scan results to GitHub Security tab
+        if: steps.sarif_file_exists.outputs.files_exists == 'true'
+        uses: github/codeql-action/upload-sarif@3e0e84636c6f5df46a2cb232ae1dd1384713150d # pin@v2
+        with:
+          sarif_file: "megalinter-reports/megalinter-report.sarif"

.github/workflows/pa11y.yml

@@ -1,16 +1,19 @@
+---
 name: Pa11y Testing
 
-on: [pull_request]
+# yamllint disable-line rule:truthy
+on: [ pull_request ]
 
 jobs:
   build:
     runs-on: ubuntu-latest
-    
+
     steps:
-      - uses: actions/checkout@v3
-
+      - name: Checkout repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+
       - name: Use Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3
         with:
           node-version: '17.x'
 

.github/workflows/scorecard.yml

@@ -1,18 +1,22 @@
+---
 # This workflow uses actions that are not certified by GitHub. They are provided
 # by a third-party and are governed by separate terms of service, privacy
 # policy, and support documentation.
 
 name: Scorecard supply-chain security
+
+# yamllint disable-line rule:truthy
 on:
   # For Branch-Protection check. Only the default branch is supported. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
-  branch_protection_rule:
-  # To guarantee Maintained check is occasionally updated. See
+  branch_protection_rule: # To guarantee Maintained check is occasionally updated. See
+
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   schedule:
     - cron: '43 7 * * 3'
   push:
-    branches: [ "main" ]
+    branches:
+      - "main"
 
 # Declare default permissions as read only.
 permissions: read-all
@@ -32,12 +36,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # pin@v4.3.4
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # pin@v3
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -2,18 +2,19 @@
 name: Build and Test
 
 # yamllint disable-line rule:truthy
-on: 
+on:
   pull_request:
 
+
 jobs:
   build:
     runs-on: ubuntu-latest
-    
+
     steps:
-      - uses: actions/checkout@v3
-      
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # pin@v3
+
       - name: Use Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # pin@v3
         with:
           node-version: '17.x'
 
@@ -23,5 +24,5 @@ jobs:
       - name: Build site
         run: npm run build
 
-          #      - name: Run tests
-          #        run: npm run test
+#      - name: Run tests
+#        run: npm run test

.gitignore

@@ -120,3 +120,6 @@ web_modules/
 _site
 public
 node_modules
+
+megalinter-reports
+reports

.gitleaks.toml

@@ -0,0 +1,21 @@
+
+title = "gitleaks config"
+
+[extend]
+# useDefault will extend the base configuration with the default gitleaks config:
+# https://github.com/zricethezav/gitleaks/blob/master/config/gitleaks.toml
+useDefault = true
+
+[allowlist]
+    description = "Allowlisted files"
+    paths = [
+    '''.automation/test''',
+    '''megalinter-reports''',
+    '''.github/linters''',
+    '''node_modules''',
+    '''.mypy_cache''',
+    '''(.*?)gitleaks\.toml$''',
+    '''(?i)(.*?)(png|jpeg|jpg|gif|doc|docx|pdf|bin|xls|xlsx|pyc|zip)$''',
+    '''(go.mod|go.sum)$''']
+
+

.grype.yaml

@@ -0,0 +1,14 @@
+---
+fail-on-severity: "high"
+
+exclude:
+  - './node_modules/**'
+  - './.git/**'
+  - './.github/**'
+  - './_site/**'
+
+ignore:
+
+  # Ignored by default; disputed and unwarranted CVE that causes Megalinter to fail
+  # @link https://nvd.nist.gov/vuln/detail/CVE-2018-20225
+  - vulnerability: CVE-2018-20225

.markdown-link-check.json

@@ -0,0 +1,10 @@
+{
+  "retryOn429": true,
+  "retryCount": 5,
+  "aliveStatusCodes": [200, 203],
+  "ignorePatterns": [
+    {
+      "pattern": "^https?://github.com/"
+    }
+  ]
+}

.markdownlint.yaml

@@ -0,0 +1,27 @@
+---
+blanks-around-fences: false
+blanks-around-headings: false
+blanks-around-lists: false
+code-fence-style: false
+emphasis-style: false
+heading-start-left: false
+hr-style: false
+list-indent: false
+list-marker-space: false
+no-blanks-blockquote: false
+no-hard-tabs: false
+no-missing-space-atx: false
+no-missing-space-closed-atx: false
+no-multiple-blanks: false
+no-multiple-space-atx: false
+no-multiple-space-blockquote: false
+no-multiple-space-closed-atx: false
+no-trailing-spaces: false
+ol-prefix: false
+strong-style: false
+ul-indent: false
+
+MD013:
+  line_length: 999
+  heading_line_length: 999
+  code_block_line_length: 999

.mega-linter.yml

@@ -0,0 +1,57 @@
+---
+# don't test the reports Mega-Linter created, docs, or test files
+ADDITIONAL_EXCLUDED_DIRECTORIES: [
+  report,
+  megalinter-reports,
+  docs,
+  node_modules,
+  _site,
+]
+
+# don't lint test files or documentation
+FILTER_REGEX_EXCLUDE: (.venv/|/test/|\.test\.|_test\.|/docs/|/index.html|.github/.*\.html)
+
+# don't scan files listed in .gitignore (e.g., node_modules)
+IGNORE_GITIGNORED_FILES: true
+
+# Disable devskim as it's reporting an error with no log message
+DISABLE_LINTERS:
+  [
+    REPOSITORY_DEVSKIM,
+    SPELL_MISSPELL,
+    SPELL_CSPELL,
+    SPELL_PROSELINT,
+    COPYPASTE_JSCPD,
+    BASH_EXEC,
+  ]
+
+# only scan new / updated files, not everything
+VALIDATE_ALL_CODEBASE: true
+
+# don't print the alpaca -- it's cute, but we don't need it in the logs
+PRINT_ALPACA: false
+
+# write a SARIF file
+SARIF_REPORTER: true
+
+# don't fail on finding (yet)
+DISABLE_ERRORS: true
+
+# use prettier for JavaScript code formatting
+JAVASCRIPT_DEFAULT_STYLE: prettier
+
+# only scan the files in This commit, not the entire history of the repo
+REPOSITORY_GITLEAKS_ARGUMENTS: --no-git
+
+# don't lint the generated code in the docs/ directory
+REPOSITORY_DEVSKIM_ARGUMENTS: "--skip-git-ignored-files"
+
+# shfmt will..
+#   - use multiples of 2 spaces for indenting
+#   - alllow binary operations to start new lines
+#   - indent switch case statements
+#   - place spaces around redirections
+#   - keep column alignment padding
+BASH_SHFMT_ARGUMENTS: -i 2 -bn -ci -sr -kp
+
+REPOSITORY_TRUFFLEHOG_ARGUMENTS: "--exclude-paths=.trufflehogignore"