Merge branch 'main' into amtenableflag

open-amt-cloud-toolkit · Oct 23, 2023 · 1019e25 · 1019e25
2 parents c1aeeab + c37d681
commit 1019e25
Show file tree

Hide file tree

Showing 62 changed files with 5,806 additions and 1,347 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,18 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "daily"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /samples/dotnet
+    schedule:
+      interval: daily
diff --git a/.github/workflows/azureBoardsSync.yaml b/.github/workflows/azureBoardsSync.yaml
@@ -9,7 +9,12 @@ jobs:
   alert:
     runs-on: ubuntu-latest
     steps:
-      - uses: danhellem/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: danhellem/github-actions-issue-to-work-item@3072da42abf94ebe4c7778c57fb4af06db341c72 # v2.2
         env:
           ado_token: "${{ secrets.ADO_PERSONAL_ACCESS_TOKEN }}"
           ado_organization: "rbheBoards"

diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -5,16 +5,24 @@ on:
   pull_request:
     branches: [ main ]
   workflow_dispatch:
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with: 
           fetch-depth: 0
       - run: docker run -v $PWD:/workdir quay.io/git-chglog/git-chglog:0.15.1 --next-tag vNext --output CHANGELOG-new.md vNext.. 
       - name: GitHub Upload Release Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: CHANGELOG-new.md
           path: |

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -14,6 +14,9 @@ on:
   schedule:
     - cron: '39 3 * * 2'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
@@ -32,17 +35,22 @@ jobs:
         # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
       with:
         languages: ${{ matrix.language }}
 
     - run: |
         make build
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
diff --git a/.github/workflows/docker-ci.yml b/.github/workflows/docker-ci.yml
@@ -8,19 +8,29 @@ name: Docker Image CI
 on:
   push:
     branches: [ main ]
+    tags:
+      - '*'
   pull_request:
     branches: [ main ]
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Build the Docker image
         run: docker build -f "Dockerfile" --tag vprodemo.azurecr.io/rpc-go:${{ github.sha }} --tag vprodemo.azurecr.io/rpc-go:latest .
       - name: Docker Login
         if: ${{ github.ref == 'refs/heads/main' }}      
-        uses: docker/login-action@v1.6.0
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           registry: vprodemo.azurecr.io
           username: ${{ secrets.DOCKER_USERNAME }}
@@ -31,4 +41,7 @@ jobs:
         run: docker push vprodemo.azurecr.io/rpc-go:${{ github.sha }}
       - name: Push the Docker image to the registry
         if: ${{ github.ref == 'refs/heads/main' }}      
-        run: docker push vprodemo.azurecr.io/rpc-go:latest
+        run: docker push vprodemo.azurecr.io/rpc-go:latest
+      - name: Push the Docker image to the registry
+        if: startsWith(github.ref, 'refs/tags/v')
+        run: docker image tag vprodemo.azurecr.io/rpc-go:${GITHUB_REF#refs/tags/} && docker push vprodemo.azurecr.io/rpc-go:${GITHUB_REF#refs/tags/}
diff --git a/.github/workflows/dotnet.yml b/.github/workflows/dotnet.yml
@@ -6,14 +6,22 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-20.04
 
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+      with:
+        egress-policy: audit
+
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Setup .NET
-      uses: actions/setup-dotnet@v2
+      uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0
       with:
         dotnet-version: 6.0.x
     - name: Build rpc as library

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -17,6 +17,9 @@ on:
   workflow_dispatch:
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
+permissions:
+  contents: read
+
 jobs:
   # This workflow contains a single job called "build"
   build:
@@ -28,7 +31,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Format
         if: ${{ matrix.os == 'ubuntu-20.04' }}
         run: if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then exit 1; fi        
@@ -45,7 +53,7 @@ jobs:
       - name: run the tests with coverage
         run: go test ./... -coverprofile=coverage.out -covermode=atomic
 
-      - uses: codecov/codecov-action@894ff025c7b54547a9a2a1e9f228beae737ad3c2 # v3.1.3
+      - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
         if: ${{ matrix.os == 'ubuntu-20.04' }}
         name: Upload Coverage Results
 
@@ -60,7 +68,7 @@ jobs:
         run: go build -o rpc ./cmd
 
       - name: GitHub Upload Release Artifacts
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ matrix.os == 'ubuntu-20.04' }}
         with:
           name: rpc-go-unit

diff --git a/.github/workflows/projectsSync.yaml b/.github/workflows/projectsSync.yaml
@@ -5,12 +5,20 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add-to-project:
     name: Add issue to project
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/[email protected]
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/add-to-project@31b3f3ccdc584546fc445612dec3f38ff5edb41c # v0.5.0
         with:
           project-url: https://github.com/orgs/open-amt-cloud-toolkit/projects/5
           github-token: ${{ secrets.PROJECTS_PAT }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,80 @@
+#*********************************************************************
+# Copyright (c) Intel Corporation 2023
+# SPDX-License-Identifier: Apache-2.0
+#*********************************************************************/
+
+# This workflow will release new versions when required using semantic-release
+
+name: Semantic-Release CI
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Docker Login
+        if: ${{ github.ref == 'refs/heads/main' }}      
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: vprodemo.azurecr.io
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          logout: true
+
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@61680d0e9b02ff86f5648ade99e01be17f0260a4 # v4.0.0
+        with:
+          semantic_version: 19.0.5  # It is recommended to specify specifying version range
+                                      # for semantic-release.
+          extra_plugins: |
+              @semantic-release/[email protected]
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # the .nextVersion file will be created by semantic-release
+      - name: Get Next Version
+        id: version
+        run: |
+          if [ -f .nextVersion ]; then
+            echo "next=$(cat .nextVersion)" >> "$GITHUB_OUTPUT"
+          else
+            echo "next=none" >> "$GITHUB_OUTPUT"
+          fi
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        if: ${{ steps.version.outputs.next != 'none' }}
+        with:
+          repository: open-amt-cloud-toolkit/e2e-testing
+          ref: docker-release
+          clean: true
+          token: ${{ secrets.DOCKER_RELEASE_PAT }}
+
+      - name: Create docker-release @ ${{ steps.version.outputs.next }}
+        if: ${{ steps.version.outputs.next != 'none' }}
+        env:
+          RELEASE_YAML: release/rpc-go.yml
+          NEXT_VERSION: ${{ steps.version.outputs.next }}
+        run: |
+          echo "Releasing ${{ github.repository }}@$NEXT_VERSION"
+          if [ "$NEXT_VERSION" != "" ]; then
+            CURRENT_VERSION=$(sed -nre 's/(.*):v[0-9]*(([0-9]+\.)*[0-9]+).*/v\2/p' $RELEASE_YAML)
+            sed -i "s/$CURRENT_VERSION/$NEXT_VERSION/g" $RELEASE_YAML
+            echo "========================="
+            git config --local user.email "github-actions[bot]@users.noreply.github.com"
+            git config --local user.name "github-actions[bot]"
+            git status
+            git add .
+            git commit -m "release(rpc-go): automated release of $NEXT_VERSION @ ${GITHUB_SHA::7}"
+            git push origin docker-release
+          fi
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -31,13 +31,18 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -59,14 +64,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.0
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
+        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.1.27
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/semantic.yml b/.github/workflows/semantic.yml
@@ -8,14 +8,19 @@ jobs:
     name: Validate PR and Commits
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
-      - uses: wagoid/commitlint-github-action@v4
+      - uses: wagoid/commitlint-github-action@6319f54d83768b60acd6fd60e61007ccc583e62f # v5.4.3
         with:
           configFile: .github/commitlint.config.js
       - name: Install Dependencies
         run: npm install @commitlint/config-conventional
-      - uses: JulienKode/[email protected]
+      - uses: JulienKode/pull-request-name-linter-action@8c05fb989d9f156ce61e33754f9802c9d3cffa58 # v0.5.0
         with:
           configuration-path: ./.github/commitlint.config.js
diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
@@ -6,17 +6,25 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [ main ]
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - name: Harden Runner
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Build the Docker image
 
         run: docker build . --file Dockerfile --tag vprodemo.azurecr.io/rpc-go:${{ github.sha }} --tag vprodemo.azurecr.io/rpc-go:latest
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # master
         with:
           image-ref: 'vprodemo.azurecr.io/rpc-go:${{ github.sha }}'
           format: 'table'