Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore: Prepare TX 2412 E2E tests #247

Merged
merged 15 commits into from
Nov 5, 2024
Merged

Chore: Prepare TX 2412 E2E tests #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
a064862
chore(deps): bump peter-evans/dockerhub-description from 3.4.2 to 4.0.0
dependabot[bot] Jan 25, 2024
4aa009a
chore(deps): bump actions/checkout from 4.1.1 to 4.1.7
dependabot[bot] Jul 11, 2024
0dc6800
chore(deps): bump docker/build-push-action from 5.1.0 to 6.7.0
dependabot[bot] Aug 13, 2024
73d632a
chore(deps): bump github/codeql-action from 3.23.0 to 3.26.3
dependabot[bot] Aug 19, 2024
3cd8243
chore: upgrade to TX 24.12 release candidate versions.
drcgjung Oct 4, 2024
a8da8c2
Merge remote-tracking branch 'origin/dependabot/github_actions/main/d…
drcgjung Oct 4, 2024
9120b26
Merge remote-tracking branch 'origin/dependabot/github_actions/main/a…
drcgjung Oct 4, 2024
1014a41
Merge remote-tracking branch 'origin/dependabot/github_actions/main/p…
drcgjung Oct 4, 2024
d7dfd51
chore: align versions with dependabot.
drcgjung Oct 4, 2024
001a906
fix: upgrade to non-vulnerable protobuf version. Align alpine and cur…
drcgjung Oct 4, 2024
40e86ff
fix|core: deployment configuration in charts. Reference to JRE/JDK. U…
drcgjung Oct 4, 2024
18baf19
feature: upgrade to tx edc 0.8.0-rc4
drcgjung Oct 9, 2024
e230240
chore: update DEPs ... to rc/snapshot versions.
drcgjung Oct 9, 2024
5e44a87
chore: add secrets scanning workflow.
drcgjung Oct 9, 2024
9c8b531
chore: update DEPs after license check.
drcgjung Oct 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ jobs:

# Get the Code
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: recursive

Expand Down Expand Up @@ -142,11 +142,11 @@ jobs:
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=1.13.22-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=1.14.24-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

- name: Agent Plane Hashicorp Container Build and push
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: agent-plane/agentplane-hashicorp
file: agent-plane/agentplane-hashicorp/src/main/docker/Dockerfile
Expand Down Expand Up @@ -180,11 +180,11 @@ jobs:
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=1.13.22-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=1.14.24-SNAPSHOT,enable=${{ github.event.inputs.deploy_docker == 'true' || github.ref == format('refs/heads/{0}', 'main') }}
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }}

- name: Agent Plane Azure Vault Container Build and push
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
context: agent-plane/agentplane-azure-vault/.
file: agent-plane/agentplane-azure-vault/src/main/docker/Dockerfile
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/dependencies.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:

# Get the Code
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: recursive

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/helm-chart-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:
steps:
# get the code
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/helm-chart-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/kics.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ jobs:
security-events: write

steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7


#
Expand All @@ -70,6 +70,6 @@ jobs:

- name: Upload SARIF file for GitHub Advanced Security Dashboard
if: always()
uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3
with:
sarif_file: kicsResults/results.sarif
8 changes: 4 additions & 4 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ jobs:
contents: read
security-events: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
Expand All @@ -65,7 +65,7 @@ jobs:
output: "trivy-results-config.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3
if: always()
with:
sarif_file: "trivy-results-config.sarif"
Expand Down Expand Up @@ -99,7 +99,7 @@ jobs:
fi
exit 0

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

# Enable repository access (on main branch and version tags only)
- name: Login to GitHub Container Registry
Expand Down Expand Up @@ -132,6 +132,6 @@ jobs:

- name: Upload Trivy scan results to GitHub Security tab
if: success() && steps.imageCheck.outcome != 'failure'
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
uses: github/codeql-action/upload-sarif@883d8588e56d1753a8a58c1c86e88976f0c23449 # v3.26.3
with:
sarif_file: "trivy-results-${{ matrix.image }}.sarif"
41 changes: 41 additions & 0 deletions .github/workflows/trufflehog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: "TruffleHog"

on:
push:
branches: ["main"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["main"]
schedule:
- cron: "0 0 * * *" # Once a day
workflow_dispatch:

permissions:
actions: read
contents: read
security-events: write
id-token: write
issues: write

jobs:
ScanSecrets:
name: Scan secrets
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0 # Ensure full clone for pull request workflows

- name: TruffleHog OSS
id: trufflehog
uses: trufflesecurity/trufflehog@main

Check warning on line 32 in .github/workflows/trufflehog.yml

View workflow job for this annotation

GitHub Actions / Analyze

[MEDIUM] Unpinned Actions Full Length Commit SHA 

Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. When selecting a SHA, you should verify it is from the action's repository and not a repository fork.

Check warning

Code scanning / KICS

Unpinned Actions Full Length Commit SHA Warning

Action is not pinned to a full length commit SHA.
continue-on-error: true
with:
path: ./ # Scan the entire repository
base: "${{ github.event.repository.default_branch }}" # Set base branch for comparison (pull requests)
extra_args: --filter-entropy=4 --results=verified,unknown --debug

- name: Scan Results Status
if: steps.trufflehog.outcome == 'failure'
run: exit 1 # Set workflow run to failure if TruffleHog finds secrets
Loading
Loading