diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml index 4424391f04..c70914d399 100644 --- a/.github/workflows/audit.yml +++ b/.github/workflows/audit.yml @@ -21,7 +21,7 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Setup uses: ./tools/github-actions/setup - name: Audit diff --git a/.github/workflows/clean-cache.yml b/.github/workflows/clean-cache.yml index cf5c04c0a1..5ea4bed15b 100644 --- a/.github/workflows/clean-cache.yml +++ b/.github/workflows/clean-cache.yml @@ -10,6 +10,9 @@ on: branches: - '**' +permissions: + contents: read + jobs: clean-cache: runs-on: ubuntu-latest @@ -17,10 +20,10 @@ jobs: actions: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Clean Branch Cache if: inputs.branch || github.event.ref_type == 'branch' - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: branchName: ${{ inputs.branch || github.event.ref }} hash: ${{ hashFiles('package.json', 'tsconfig.base.json', 'tsconfig.build.json', 'nx.json') }} diff --git a/.github/workflows/code-check.yml b/.github/workflows/code-check.yml index a287e93837..271cdbd65e 100644 --- a/.github/workflows/code-check.yml +++ b/.github/workflows/code-check.yml @@ -26,8 +26,8 @@ jobs: runs-on: ubuntu-latest continue-on-error: true steps: - - uses: actions/checkout@master - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: base-branch: 'main' config-file: '.github/markdown-links.config.json' @@ -42,7 +42,7 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: ${{ inputs.affected && '0' || '1' }} - name: Setup @@ -51,7 +51,7 @@ jobs: with: install-jdk: 'true' - name: Cache Jest - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 env: hash: ${{ hashFiles('package.json', 'tsconfig.base.json', 'tsconfig.build.json', 'nx.json') }} with: @@ -71,7 +71,7 @@ jobs: - name: Publish tests reports if: always() # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ut-reports-${{ matrix.os }} path: | @@ -83,13 +83,13 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: ${{ inputs.affected && '0' || '1' }} - name: Setup uses: ./tools/github-actions/setup - name: Cache Eslint - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: .cache/eslint key: ${{ runner.os }}-eslint-${{ hashFiles('yarn.lock') }} diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 688d81906a..fad9833b47 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,6 +26,9 @@ on: schedule: - cron: '31 2 * * 6' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -43,19 +46,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/deploy-showcase.yml b/.github/workflows/deploy-showcase.yml index e6b1ed4b0c..45f72d7054 100644 --- a/.github/workflows/deploy-showcase.yml +++ b/.github/workflows/deploy-showcase.yml @@ -31,16 +31,16 @@ jobs: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - name: build run: yarn nx build showcase - name: Setup Pages - uses: actions/configure-pages@v4 + uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0 - name: Upload artifact - uses: actions/upload-pages-artifact@v3 + uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: './apps/showcase/dist/browser' - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4 diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 20d3dbe08b..263b2d16d6 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -32,7 +32,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - name: Generate doc run: yarn doc:generate @@ -43,7 +43,7 @@ jobs: run: yarn update-package ${{ inputs.docFolder }}/package.json --name ${{ inputs.packageName }} --version ${{ inputs.version }} - run: zip -q -r ${{ inputs.artifactName }}.zip "${{ inputs.docFolder }}" -x "*/node_modules/*" ".cache/*" shell: bash - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: ${{ inputs.artifactName }} path: ${{ inputs.artifactName }}.zip @@ -57,8 +57,8 @@ jobs: name: azure-static-webapp url: ${{ steps.deploy.outputs.static_web_app_url }} steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: name: ${{ inputs.artifactName }} path: '.' @@ -68,7 +68,7 @@ jobs: shell: bash - name: deploy id: deploy - uses: Azure/static-web-apps-deploy@v1 + uses: Azure/static-web-apps-deploy@c514ae36604047560e33605b78f71804967bfb7a # v1 with: azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN }} repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/e2e-tests.yml b/.github/workflows/e2e-tests.yml index 336bfbd08f..bd1f4af93f 100644 --- a/.github/workflows/e2e-tests.yml +++ b/.github/workflows/e2e-tests.yml @@ -22,7 +22,7 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/download-build-output - uses: ./tools/github-actions/setup - run: yarn playwright install @@ -38,7 +38,7 @@ jobs: - name: Publish tests reports if: failure() # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: e2e-report path: apps/showcase/playwright-reports diff --git a/.github/workflows/it-tests.yml b/.github/workflows/it-tests.yml index f8a6beb075..853f671eac 100644 --- a/.github/workflows/it-tests.yml +++ b/.github/workflows/it-tests.yml @@ -22,7 +22,7 @@ jobs: env: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/download-build-output - uses: ./tools/github-actions/setup - name: Setup verdaccio once for all tests @@ -37,7 +37,7 @@ jobs: run: zip -r verdaccio.zip ./.verdaccio shell: bash - name: Publish verdaccio storage - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: verdaccio path: verdaccio.zip @@ -59,7 +59,7 @@ jobs: ENFORCED_PACKAGE_MANAGER: ${{ matrix.packageManager }} PREPARE_TEST_ENV_TYPE: ${{ matrix.testEnvironment }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/download-build-output - uses: ./tools/github-actions/setup - uses: ./.github/actions/setup-java @@ -69,7 +69,7 @@ jobs: run: echo "currentMonth=$(date +'%Y-%m')" >> $GITHUB_ENV shell: bash - name: Cache test-app yarn - uses: actions/cache@v4 + uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1 with: path: | .cache/test-app @@ -84,7 +84,7 @@ jobs: npm cache --cache=.cache/test-app/npm-cache ls | grep 127.0.0.1:4873 | xargs -d'\n' -r -n 1 npm cache --cache=.cache/test-app/npm-cache clean || true npx --yes -p replace-in-files-cli replace-in-files --regex=".*127.0.0.1:4873.*" --replacement="" ".cache/test-app/npm-cache/_cacache/index-v5/**/*" shell: bash - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 name: Download verdaccio storage prepared in the previous job with: name: verdaccio @@ -117,14 +117,14 @@ jobs: shell: bash - name: Publish generated tests environment on failure if: failure() && steps.it-tests.conclusion == 'failure' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: it-tests-${{ matrix.os }}-${{ matrix.packageManager }} path: it-tests.zip - name: Publish tests reports if: always() # TODO upgrade to v4 when https://github.com/AmadeusITGroup/otter/issues/1198 is fixed - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: it-reports-${{ matrix.os }}-${{ matrix.packageManager }} path: 'packages/**/dist-test/it-report.xml' diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1645039fe9..7d5deac6cc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -23,7 +23,7 @@ jobs: NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} NX_SKIP_NX_CACHE: ${{ github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release') }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - uses: ./.github/actions/setup-java with: @@ -40,7 +40,7 @@ jobs: nextVersionTag: ${{ steps.newVersion.outputs.nextVersionTag }} isPreRelease: ${{ contains( steps.newVersion.outputs.nextVersionTag, '-' ) || github.event_name == 'pull_request' || github.event_name == 'merge_group'}} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./tools/github-actions/setup - name: New Version if: github.event_name != 'merge_group' diff --git a/.github/workflows/md-external-links-check.yml b/.github/workflows/md-external-links-check.yml index 18ddfcf11d..c392a1a0bf 100644 --- a/.github/workflows/md-external-links-check.yml +++ b/.github/workflows/md-external-links-check.yml @@ -10,8 +10,8 @@ jobs: markdown-link-check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: use-quiet-mode: 'yes' base-branch: 'main' @@ -21,9 +21,9 @@ jobs: needs: [markdown-link-check] if: failure() steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Create an issue - uses: JasonEtco/create-an-issue@v2 + uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} RUN_URL: ${{ format('https://github.com/{0}/actions/runs/{1}/attempts/{2}', github.repository, github.run_id, github.run_attempt || 1) }} diff --git a/.github/workflows/pr-labels.yml b/.github/workflows/pr-labels.yml index 47360f2a96..23d37a9a03 100644 --- a/.github/workflows/pr-labels.yml +++ b/.github/workflows/pr-labels.yml @@ -2,6 +2,9 @@ name: Pull Request Label on: pull_request +permissions: + contents: read + jobs: setup-label: runs-on: ubuntu-latest @@ -10,7 +13,7 @@ jobs: permissions: pull-requests: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 - name: Setup @@ -19,7 +22,7 @@ jobs: run: | LABELS="$(yarn pr-labels --target="${{ github.base_ref || github.ref_name }}")" echo "LABELS=$LABELS" >> $GITHUB_ENV - - uses: actions/github-script@v7 + - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 if: env.LABELS != '[]' continue-on-error: true with: diff --git a/.github/workflows/publish-pr.yml b/.github/workflows/publish-pr.yml index f12af1cdeb..e528855009 100644 --- a/.github/workflows/publish-pr.yml +++ b/.github/workflows/publish-pr.yml @@ -6,6 +6,9 @@ on: types: - completed +permissions: + contents: read + jobs: version: if: ${{ github.event.workflow_run.event == 'pull_request' }} @@ -16,7 +19,7 @@ jobs: nextVersionTag: ${{ steps.newVersion.outputs.nextVersionTag }} steps: - name: get logs from workflow run - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 with: script: | let download = await github.rest.actions.downloadWorkflowRunAttemptLogs({ @@ -53,7 +56,7 @@ jobs: checks: write steps: - name: Update triggering workflow - uses: actions/github-script@v7 + uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 env: PUBLISH_RESULT: ${{ needs.publish-packages-pr.result }} with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c29857d942..ca72f9c6a4 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -60,7 +60,7 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 2 ref: ${{ inputs.gitRef }} @@ -89,7 +89,7 @@ jobs: APP_PATH: 'apps/github-cascading-app/dist' environment: 'cascading-app' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 2 - uses: ./tools/github-actions/download-build-output @@ -110,7 +110,7 @@ jobs: env: PUBLISH_PROFILE: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_8996AC226FB9456EA73A6B8439B12946 || secrets.CASCADING_AZURE_APP_PUBLISH_PROFILE }} if: env.PUBLISH_PROFILE != null && (github.base_ref == 'main' || github.ref_name == 'main') - uses: Azure/functions-action@v1 + uses: Azure/functions-action@238dc3c45bb1b04e5d16ff9e75cddd1d86753bd6 # v1.5.1 with: app-name: 'github-cascading' slot-name: 'production' @@ -124,7 +124,7 @@ jobs: packages: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 2 - uses: ./tools/github-actions/download-build-output @@ -140,7 +140,7 @@ jobs: CHROME_REFRESH_TOKEN: ${{ secrets.CHROME_REFRESH_TOKEN }} - name: Expose Chrome extension artifact if: '!inputs.prerelease' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: name: chrome-extension path: apps/chrome-devtools/chrome-extension.zip diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000000..b0ae368491 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@928ff8c822d966a999092a6a35e32177899afb7c # v2.24.6 + with: + sarif_file: results.sarif diff --git a/.github/workflows/tests-reporter.yml b/.github/workflows/tests-reporter.yml index e740fe9c60..3e8dad1697 100644 --- a/.github/workflows/tests-reporter.yml +++ b/.github/workflows/tests-reporter.yml @@ -10,7 +10,7 @@ jobs: publish-ut-reports: runs-on: ubuntu-latest steps: - - uses: dorny/test-reporter@v1 + - uses: dorny/test-reporter@a923ed8851f90a1509b334ca82bd1c5c13a02bb2 # v1 with: artifact: /ut-reports(.*)/ name: UT Tests report$1 @@ -20,7 +20,7 @@ jobs: publish-it-reports: runs-on: ubuntu-latest steps: - - uses: dorny/test-reporter@v1 + - uses: dorny/test-reporter@a923ed8851f90a1509b334ca82bd1c5c13a02bb2 # v1 with: artifact: /it-reports(.*)/ name: IT Tests report$1