Merge branch 'main' into ci-ubuntu-runner

ericcornelissen · Jul 2, 2024 · 4782f63 · 4782f63
2 parents d928c96 + fa35009
commit 4782f63
Show file tree

Hide file tree

Showing 17 changed files with 3,830 additions and 3,025 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -14,13 +14,13 @@ labels: bug
 
 <!-- Describe the bug in general terms -->
 
-### Actual Behaviour
+### Actual Behavior
 
-<!-- Describe the actual behaviour of the library you're observing -->
+<!-- Describe the actual behavior of the library you're observing -->
 
-### Expected Behaviour
+### Expected Behavior
 
-<!-- Describe the behaviour you would have expected from the library -->
+<!-- Describe the behavior you would have expected from the library -->
 
 ## Working Example
 

diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -30,12 +30,12 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         with:
           config-file: ./.github/codeql.yml
           languages: javascript
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
   format:
     name: Formatting
     runs-on: ubuntu-24.04
@@ -141,37 +141,6 @@ jobs:
       - name: Lint YAML
         if: ${{ failure() || success() }}
         run: npm run lint:yml
-  njsscan:
-    name: njsscan
-    runs-on: ubuntu-24.04
-    permissions:
-      security-events: write # To upload SARIF results
-    steps:
-      - name: Harden runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            actions-results-receiver-production.githubapp.com:443
-            api.github.com:443
-            ghcr.io:443
-            github.com:443
-            objects.githubusercontent.com:443
-            pkg-containers.githubusercontent.com:443
-            uploads.github.com:443
-      - name: Checkout repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - name: Perform njsscan analysis
-        id: njsscan
-        uses: ajinabraham/njsscan-action@d58d8b2f26322cd35a9efb8003baac517f226d81 # v7
-        with:
-          args: . --sarif --output njsscan-results.sarif || true
-      - name: Upload njsscan report to GitHub
-        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
-        if: ${{ failure() || success() }}
-        with:
-          sarif_file: njsscan-results.sarif
   reproducible:
     name: Reproducible build
     runs-on: ubuntu-24.04
@@ -543,42 +512,6 @@ jobs:
         run: npm clean-install
       - name: Transpile to CommonJS
         run: npm run transpile
-  trivy:
-    name: Trivy
-    runs-on: ubuntu-24.04
-    permissions:
-      security-events: write # To upload SARIF results
-    steps:
-      - name: Harden runner
-        uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
-        with:
-          disable-sudo: true
-          egress-policy: block
-          allowed-endpoints: >
-            actions-results-receiver-production.githubapp.com:443
-            api.github.com:443
-            ghcr.io:443
-            github.com:443
-            objects.githubusercontent.com:443
-            pkg-containers.githubusercontent.com:443
-            uploads.github.com:443
-      - name: Checkout repository
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
-      - name: Perform Trivy analysis
-        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
-        with:
-          exit-code: 1
-          format: sarif
-          output: trivy-results.sarif
-          scanners: vuln,secret
-          scan-type: fs
-          scan-ref: .
-          template: "@/contrib/sarif.tpl"
-      - name: Upload Trivy report to GitHub
-        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
-        if: ${{ failure() || success() }}
-        with:
-          sarif_file: trivy-results.sarif
   vet:
     name: Vet
     runs-on: ubuntu-24.04

diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml
@@ -24,16 +24,15 @@ jobs:
             actions-results-receiver-production.githubapp.com:443
             api.github.com:443
             artifactcache.actions.githubusercontent.com:443
+            ghcr.io:443
             github.com:443
             objects.githubusercontent.com:443
+            pkg-containers.githubusercontent.com:443
       - name: Checkout repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
         with:
           fetch-depth: 0
       - name: Scan for secrets
-        uses: gitleaks/gitleaks-action@cb7149a9b57195b609c63e8518d2c6056677d2d0 # v2.3.3
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          GITLEAKS_ENABLE_COMMENTS: false
-          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false
-          GITLEAKS_ENABLE_SUMMARY: true
+        uses: trufflesecurity/trufflehog@b9dd330365132cd2d01dd5dc8a857a056a2544e1 # v3.79.0
+        with:
+          extra_args: --only-verified
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -22,7 +22,7 @@ jobs:
         env:
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
       - name: Upload Semgrep report to GitHub
-        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         if: ${{ failure() || success() }}
         with:
           sarif_file: semgrep.sarif
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -482,7 +482,7 @@ module.exports = {
 
 The effectiveness of some test suites is ensured through [mutation testing
 (Wikipedia)] using the [Stryker Mutator] framework. Mutation testing will tell
-you if there are behaviour changing modification that can be made to source code
+you if there are behavior changing modification that can be made to source code
 without the tests catching the change. Such modifications are labeled as
 _survived_.
 

diff --git a/docs/testing.md b/docs/testing.md
@@ -44,7 +44,7 @@ assert.throws(() => functionUnderTest(Throwscape));
 
 ### Why Stubs
 
-The behaviour of Shescape depends on external factors such as the operating
+The behavior of Shescape depends on external factors such as the operating
 system it is running on and environment variables. This may not be desirable in
 your tests, especially in unit tests.