From 807527819e285ef0f9bcf4f314748dd752203a24 Mon Sep 17 00:00:00 2001 From: Iain Powell Date: Tue, 16 Apr 2024 08:31:22 -0300 Subject: [PATCH 1/4] build: as of Go 1.21, toolchain versions must use the 1.N.P syntax (#85) * build: as of Go 1.21, toolchain versions must use the 1.N.P syntax * chore(deps): add gomod to dependabot configuration --- .github/dependabot.yml | 8 ++++++++ go.mod | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 79fc83a..75fadfe 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,5 +1,13 @@ version: 2 updates: + - package-ecosystem: gomod + directory: "/" + schedule: + interval: "weekly" + groups: + all-go: + patterns: + - "*" - package-ecosystem: github-actions directory: "/" schedule: diff --git a/go.mod b/go.mod index ab9fa81..e6b8f24 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/BeyondTrust/go-client-library-passwordsafe -go 1.21 +go 1.21.9 require ( github.com/cenkalti/backoff/v4 v4.2.1 // indirect From bfd422c39cf25ac2db3c5eda6fd43730df2748e2 Mon Sep 17 00:00:00 2001 From: Ivan Gonzalez <135244609+ivgonzalezc@users.noreply.github.com> Date: Tue, 16 Apr 2024 06:49:21 -0500 Subject: [PATCH 2/4] ci: scorecard workflow added (#83) Co-authored-by: Derek Jury --- .github/workflows/scorecard.yml | 66 +++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..7b06b36 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: "23 6 * * 1" + push: + branches: [main] + workflow_dispatch: + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: ossf_scorecard_results.sarif + results_format: sarif + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: false + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: ossf_scorecard_results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: ossf_scorecard_results.sarif \ No newline at end of file From 52f01a0fe48548b629e77a24ed423c4e484a2fda Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 09:17:12 -0300 Subject: [PATCH 3/4] Build(deps): Bump sonarsource/sonarqube-scan-action from 2.0.1 to 2.0.2 (#79) Bumps [sonarsource/sonarqube-scan-action](https://github.com/sonarsource/sonarqube-scan-action) from 2.0.1 to 2.0.2. - [Release notes](https://github.com/sonarsource/sonarqube-scan-action/releases) - [Commits](https://github.com/sonarsource/sonarqube-scan-action/compare/69c1a75940dec6249b86dace6b630d3a2ae9d2a7...53c3e3207fe4b8d52e2f1ac9d6eb1d2506f626c0) --- updated-dependencies: - dependency-name: sonarsource/sonarqube-scan-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Derek Jury --- .github/workflows/release.yml | 4 ++-- .github/workflows/sonarqube.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5810085..198b069 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,7 +63,7 @@ jobs: - name: SonarQube Scan on PR if: ${{ github.actor != 'dependabot[bot]' && ( github.event_name == 'pull_request' || github.event_name == 'pull_request_target' ) }} - uses: sonarsource/sonarqube-scan-action@69c1a75940dec6249b86dace6b630d3a2ae9d2a7 # v2.0.1 + uses: sonarsource/sonarqube-scan-action@53c3e3207fe4b8d52e2f1ac9d6eb1d2506f626c0 # v2.0.2 with: projectBaseDir: . args: > @@ -79,7 +79,7 @@ jobs: - name: SonarQube Scan on branch if: ${{ github.actor != 'dependabot[bot]' && ( github.event_name != 'pull_request' && github.event_name != 'pull_request_target' ) }} - uses: sonarsource/sonarqube-scan-action@69c1a75940dec6249b86dace6b630d3a2ae9d2a7 # v2.0.1 + uses: sonarsource/sonarqube-scan-action@53c3e3207fe4b8d52e2f1ac9d6eb1d2506f626c0 # v2.0.2 with: projectBaseDir: . args: > diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml index ec974f5..3115dc6 100644 --- a/.github/workflows/sonarqube.yml +++ b/.github/workflows/sonarqube.yml @@ -55,7 +55,7 @@ jobs: - name: SonarQube Scan on PR if: ${{ github.actor != 'dependabot[bot]' && ( github.event_name == 'pull_request' || github.event_name == 'pull_request_target' ) }} - uses: sonarsource/sonarqube-scan-action@69c1a75940dec6249b86dace6b630d3a2ae9d2a7 # v2.0.1 + uses: sonarsource/sonarqube-scan-action@53c3e3207fe4b8d52e2f1ac9d6eb1d2506f626c0 # v2.0.2 with: projectBaseDir: . args: > @@ -71,7 +71,7 @@ jobs: - name: SonarQube Scan on branch if: ${{ github.actor != 'dependabot[bot]' && ( github.event_name != 'pull_request' && github.event_name != 'pull_request_target' ) }} - uses: sonarsource/sonarqube-scan-action@69c1a75940dec6249b86dace6b630d3a2ae9d2a7 # v2.0.1 + uses: sonarsource/sonarqube-scan-action@53c3e3207fe4b8d52e2f1ac9d6eb1d2506f626c0 # v2.0.2 with: projectBaseDir: . args: > From fb0397858111c5cd505c8b11f4c96494c06ae0b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 16 Apr 2024 09:20:10 -0300 Subject: [PATCH 4/4] Build(deps): Bump github/codeql-action from 3.24.10 to 3.25.0 (#84) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.24.10 to 3.25.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/4355270be187e1b672a7a1c7c7bae5afdc1ab94a...df5a14dc28094dc936e103b37d749c6628682b60) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Derek Jury --- .github/workflows/codeql.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d1ba57a..106738a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,16 +30,16 @@ jobs: ref: ${{ github.head_ref }} - name: Initialize CodeQL - uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/init@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 with: config-file: codeql-config.yml languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/autobuild@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/analyze@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 analyze_on_branch: name: Analyze on branch @@ -62,13 +62,13 @@ jobs: echo ${{ github.event_name }} - name: Initialize CodeQL - uses: github/codeql-action/init@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/init@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 with: config-file: codeql-config.yml languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/autobuild@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + uses: github/codeql-action/analyze@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0