From 9d09370745d0381d472e28f2b400971b79d33652 Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 01:34:07 +0700 Subject: [PATCH 1/7] ci(github-actions): forgot checkout code and update gitguardian version --- .github/workflows/security.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index eb863e3..a188bb1 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,8 +33,10 @@ jobs: name: 🛡️ GitGuardian runs-on: ${{ matrix.os }} steps: + - name: 🛫 Checkout Code + uses: actions/checkout@v4 - name: 🦉 GitGuardian - uses: GitGuardian/ggshield-action@v1.20.0 + uses: GitGuardian/ggshield-action@v1.21.0 env: GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} From ef9c050e4dc44923c1b765c892be60916e9098eb Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 01:37:10 +0700 Subject: [PATCH 2/7] ci(github-actions): update security workflows --- .github/workflows/security.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index a188bb1..88a8ad9 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -16,6 +16,8 @@ jobs: name: 💂 Security runs-on: ${{ matrix.os }} steps: + - name: 🛫 Checkout Code + uses: actions/checkout@v4 - name: 🍄 TruffleHog OSS uses: trufflesecurity/trufflehog@main with: From 0fc96a3ed8d06a21b658034a5549a681dd909535 Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 01:39:12 +0700 Subject: [PATCH 3/7] ci(github-actions): remove git guardian (some error on api key) --- .github/workflows/security.yml | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 88a8ad9..1d14b85 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -25,23 +25,3 @@ jobs: base: ${{ github.event.repository.default_branch }} head: HEAD extra_args: --debug --only-verified - gitguardian: - concurrency: - group: security/${{ github.event.repository.name }} - strategy: - fail-fast: false - matrix: - os: [ubuntu-latest] - name: 🛡️ GitGuardian - runs-on: ${{ matrix.os }} - steps: - - name: 🛫 Checkout Code - uses: actions/checkout@v4 - - name: 🦉 GitGuardian - uses: GitGuardian/ggshield-action@v1.21.0 - env: - GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} - GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} - GITHUB_PULL_BASE_SHA: ${{ github.event.pull_request.base.sha }} - GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} - GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} From 76898afff87de8860ebbbc8d372f8eaa7cfc2378 Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 01:46:08 +0700 Subject: [PATCH 4/7] ci(github-actions): use trivy and remove upload artifact --- .github/trivy.yaml | 3 +++ .github/workflows/ci.yml | 11 ----------- .github/workflows/security.yml | 22 ++++++++++++++++++++-- 3 files changed, 23 insertions(+), 13 deletions(-) create mode 100644 .github/trivy.yaml diff --git a/.github/trivy.yaml b/.github/trivy.yaml new file mode 100644 index 0000000..6f03f1c --- /dev/null +++ b/.github/trivy.yaml @@ -0,0 +1,3 @@ +format: json +exit-code: 1 +severity: CRITICAL diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 301e544..e8701ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -47,12 +47,6 @@ jobs: run: bun install - name: ⚖️ Lint run: bun lint - - name: 🎅 Upload Artifacts - uses: actions/upload-artifact@v3 - if: ${{ steps.cache-bun.outputs.cache-hit != 'true' }} - with: - name: bun-cache - path: ~/.bun release: strategy: fail-fast: false @@ -95,11 +89,6 @@ jobs: runs-on: ${{ matrix.os }} if: failure() steps: - - name: 🎁 Download Artifacts - uses: actions/download-artifact@v3 - with: - name: bun-cache - path: ~/.bun - name: 🕋 Send Issue uses: JasonEtco/create-an-issue@v2 id: send-issue diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 1d14b85..9e9091a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -13,15 +13,33 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest] - name: 💂 Security + name: 🍄 TruffleHog OSS runs-on: ${{ matrix.os }} steps: - name: 🛫 Checkout Code uses: actions/checkout@v4 - - name: 🍄 TruffleHog OSS + - name: 🐷 TruffleHog OSS uses: trufflesecurity/trufflehog@main with: path: ./ base: ${{ github.event.repository.default_branch }} head: HEAD extra_args: --debug --only-verified + trivy: + concurrency: + group: security/${{ github.event.repository.name }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest] + name: 🐳 Trivy + runs-on: ${{ matrix.os }} + steps: + - name: 🛫 Checkout Code + uses: actions/checkout@v4 + - name: 🐳 Trivy + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: .github/trivy.yaml From ff9f623facf4b7f669e3373c662cd9ae56603048 Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 01:51:33 +0700 Subject: [PATCH 5/7] ci(github-actions): update event workflow dispatch --- .github/workflows/cd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 124e54c..bbe9889 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -3,6 +3,7 @@ on: push: tags: - 'v*.*.*' + workflow_dispatch: env: SCOPRE_OWNER: '@pungrumpy' jobs: From 8ebca67ffbcded4347ef7d5f929781470f20efbe Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 08:19:34 +0700 Subject: [PATCH 6/7] ci(github-actions): fix condition on release job --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e8701ec..702a729 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -52,7 +52,7 @@ jobs: fail-fast: false matrix: os: [ubuntu-latest] - if: ${{ github.event_name == 'push' }} + if: ${{ github.ref == 'refs/heads/main' }} && !contains(github.event.head_commit.message, '[skip ci]') name: 🚀 Release permissions: contents: write From 85833d66668faa3c69f6ea96958b79f1527bd6ef Mon Sep 17 00:00:00 2001 From: PunGrumpy <108584943+PunGrumpy@users.noreply.github.com> Date: Sun, 19 Nov 2023 08:22:15 +0700 Subject: [PATCH 7/7] ci(github-actions): remove package name and use by default --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 702a729..a0348da 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -66,7 +66,6 @@ jobs: with: release-type: node token: ${{ secrets.GITHUB_TOKEN }} - package-name: logixlysia - name: 🔔 Checkout uses: actions/checkout@v4 - name: 🏷️ Tag stable versions