diff --git a/.github/dependabot.yml b/.github/dependabot.yml index bba71a575..59ef81ad3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,119 +1,118 @@ - version: 2 updates: - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/" + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/ide/jetbrains' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/language' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/misc/redwood' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/plugins/openapi' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/plugins/swr' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/plugins/tanstack-query' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/plugins/trpc' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/runtime' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/sdk' + + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/server' - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/ide/jetbrains" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/language" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/misc/redwood" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/plugins/openapi" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/plugins/swr" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/plugins/tanstack-query" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/plugins/trpc" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/runtime" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/sdk" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/server" - - - package-ecosystem: "npm" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/packages/testtools" + - package-ecosystem: 'npm' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/packages/testtools' - - package-ecosystem: "github-actions" - schedule: - interval: "daily" - time: "02:00" - commit-message: - prefix: ":arrow_up: maint" - include: scope - directory: "/" \ No newline at end of file + - package-ecosystem: 'github-actions' + schedule: + interval: 'daily' + time: '02:00' + commit-message: + prefix: ':arrow_up: maint' + include: scope + directory: '/' diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml index 54a3cb45d..368551623 100644 --- a/.github/workflows/build-test.yml +++ b/.github/workflows/build-test.yml @@ -8,22 +8,22 @@ env: DO_NOT_TRACK: '1' on: - merge_group: - push: - branches: - - main - - dev - - release/* - - v2 - pull_request: - branches: - - main - - dev - - release/* - - v2 + merge_group: + push: + branches: + - main + - dev + - release/* + - v2 + pull_request: + branches: + - main + - dev + - release/* + - v2 permissions: - contents: read + contents: read jobs: build-test: diff --git a/.github/workflows/security-defender-for-devops.yml b/.github/workflows/security-defender-for-devops.yml index dc32fc584..526cebf1e 100644 --- a/.github/workflows/security-defender-for-devops.yml +++ b/.github/workflows/security-defender-for-devops.yml @@ -1,9 +1,3 @@ - -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# # Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. # MSDO installs, configures and runs the latest versions of static analysis tools # (including, but not limited to, SDL/security and compliance tools). @@ -20,53 +14,53 @@ name: Security - Microsoft Defender For Devops on: - merge_group: - push: - branches: - - main - - dev - - release/* - - v2 - pull_request: - branches: - - main - - dev - - release/* - - v2 - schedule: - - cron: '34 12 * * 0' + merge_group: + push: + branches: + - main + - dev + - release/* + - v2 + pull_request: + branches: + - main + - dev + - release/* + - v2 + schedule: + - cron: '34 12 * * 0' permissions: - contents: read - security-events: read + contents: read + security-events: read jobs: - MSDO: - # currently only windows latest is supported - runs-on: windows-latest - permissions: - security-events: write + MSDO: + # currently only windows latest is supported + runs-on: windows-latest + permissions: + security-events: write - steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2.6.1 + with: + egress-policy: audit - # checks out the repository - - uses: actions/checkout@v4 + # checks out the repository + - uses: actions/checkout@v4 - - uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 - with: - dotnet-version: | - 5.0.x - 6.0.x + - uses: actions/setup-dotnet@v3.2.0 + with: + dotnet-version: | + 5.0.x + 6.0.x - - name: Run Microsoft Security DevOps - uses: microsoft/security-devops-action@v1.6.0 - id: msdo + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo - - name: Upload results to Security tab - uses: github/codeql-action/upload-sarif@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12 - with: - sarif_file: ${{ steps.msdo.outputs.sarifFile }} + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v2.22.12 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} diff --git a/.github/workflows/security-dependency-review.yml b/.github/workflows/security-dependency-review.yml index 17b0f0506..09018a429 100644 --- a/.github/workflows/security-dependency-review.yml +++ b/.github/workflows/security-dependency-review.yml @@ -1,4 +1,3 @@ - # Dependency Review Action # # This Action will scan dependency manifest files that change as part of a Pull Request, @@ -8,28 +7,27 @@ # # Source repository: https://github.com/actions/dependency-review-action name: Security - Dependency Review -on: - merge_group: - pull_request: +on: + merge_group: + pull_request: permissions: - contents: read + contents: read jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2.6.1 + with: + egress-policy: audit - # checks out the repository - - uses: actions/checkout@v4 - with: - submodules: 'recursive' - token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. + # checks out the repository + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - - name: 'Dependency Review' -+ uses: actions/dependency-review-action@v2.5.1 - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v2.5.1 diff --git a/.github/workflows/security-ossar.yml b/.github/workflows/security-ossar.yml index 10db124ae..244f2b147 100644 --- a/.github/workflows/security-ossar.yml +++ b/.github/workflows/security-ossar.yml @@ -1,4 +1,3 @@ - # This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support @@ -10,66 +9,66 @@ name: Security - OSSAR on: - merge_group: - push: - branches: - - main - - dev - - release/* - - v2 - pull_request: - branches: - - main - - dev - - release/* - - v2 - schedule: - - cron: '41 3 * * 5' + merge_group: + push: + branches: + - main + - dev + - release/* + - v2 + pull_request: + branches: + - main + - dev + - release/* + - v2 + schedule: + - cron: '41 3 * * 5' permissions: - contents: read + contents: read jobs: - OSSAR-Scan: - runs-on: windows-latest - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + OSSAR-Scan: + runs-on: windows-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2.6.1 + with: + egress-policy: audit - - name: Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@6705383eabd01833acfe8412ec697384830e1455 # v1.8.7 - with: - github_token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - comment_on_pr: false - theme: dark - proc_trace_sys_enable: true + - name: Workflow Telemetry + uses: catchpoint/workflow-telemetry-action@v1.8.7 + with: + github_token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. + comment_on_pr: false + theme: dark + proc_trace_sys_enable: true - # checks out the repository - - uses: actions/checkout@v4 - with: - submodules: 'recursive' - token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. + # checks out the repository + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - - uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3.2.0 - with: - dotnet-version: | - 5.0.x - 6.0.x + - uses: actions/setup-dotnet@v3.2.0 + with: + dotnet-version: | + 5.0.x + 6.0.x - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v2.22.12 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml index 1222d331c..2e8dd159a 100644 --- a/.github/workflows/security-scorecard.yml +++ b/.github/workflows/security-scorecard.yml @@ -1,81 +1,77 @@ - - - # This workflow uses actions that are not certified by GitHub. They are provided # by a third-party and are governed by separate terms of service, privacy # policy, and support documentation. name: Security - Scorecard supply-chain security on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '21 9 * * 6' - push: - branches: - - main - - dev + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '21 9 * * 6' + push: + branches: + - main + - dev # Declare default permissions as read only. -permissions: - contents: read +permissions: + contents: read jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read - steps: - - name: Harden Runner - uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 - with: - egress-policy: audit + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2.6.1 + with: + egress-policy: audit - - name: Workflow Telemetry - uses: catchpoint/workflow-telemetry-action@6705383eabd01833acfe8412ec697384830e1455 # v1.8.7 - with: - github_token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - comment_on_pr: false - theme: dark - proc_trace_sys_enable: true + - name: Workflow Telemetry + uses: catchpoint/workflow-telemetry-action@v1.8.7 + with: + github_token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. + comment_on_pr: false + theme: dark + proc_trace_sys_enable: true - # checks out the repository - - uses: actions/checkout@v4 - with: - submodules: 'recursive' - token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. + # checks out the repository + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - - name: "Run analysis" -+ uses: ossf/scorecard-action@v2.1.2 - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 - with: - results_file: results.sarif - results_format: sarif - repo_token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. - publish_results: true + - name: 'Run analysis' + uses: ossf/scorecard-action@v2.1.2 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account. + publish_results: true - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 - with: - name: SARIF file - path: results.sarif - retention-days: 5 + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: 'Upload artifact' + uses: actions/upload-artifact@v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 - with: - sarif_file: results.sarif + # Upload the results to GitHub's code scanning dashboard. + - name: 'Upload to code-scanning' + uses: github/codeql-action/upload-sarif@v2.2.4 + with: + sarif_file: results.sarif