[Dependencies]: Bump step-security/harden-runner from 2.8.0 to 2.8.1 #1054
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- # Linting of pull requests | |
name: "PR: Lint" | |
on: | |
pull_request: | |
types: [opened, edited, synchronize, reopened, ready_for_review, unlocked] | |
branches: | |
- main | |
permissions: | |
contents: read | |
concurrency: | |
group: ${{github.workflow}}-${{github.ref}} | |
cancel-in-progress: true | |
env: | |
HEAD_REF: ${{github.head_ref}} | |
BASE_REF: ${{github.base_ref}} | |
jobs: | |
info: | |
if: endsWith(github.repository, '-template') | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Info" | |
uses: actions/[email protected] | |
with: | |
script: | | |
core.info('Branch: ${{env.HEAD_REF}}'); | |
core.info('Base Branch: ${{env.BASE_REF}}'); | |
core.info('Repo: ${{github.repository}}'); | |
core.info('Owner: ${{github.repository_owner}}'); | |
# include-JIRA-ticket: | |
# if: github.event.pull_request.draft == false | |
# runs-on: [self-hosted, linux] | |
# steps: | |
# - name: "Initialise Workspace" | |
# if: startsWith(runner.name, 'buildagent-') | |
# shell: bash | |
# run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
# - name: "Checkout Source" | |
# uses: actions/[email protected] | |
# with: | |
# fetch-depth: 0 | |
# fetch-tags: true | |
# - if: |- | |
# !endsWith(github.repository, '-template') | |
# && !startsWith(github.head_ref, 'release/') | |
# && !startsWith(github.head_ref, 'hotfix/') | |
# uses: seferov/[email protected] | |
# with: | |
# title-regex: '^\[FF\-\d*?\](:)?(\ )' | |
# error-message: 'Add Jira Ticket ID to your title' | |
include-changelog-entry: | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Checkout Source" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Diff Changes" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
shell: bash | |
run: echo "CHANGES=$(git diff --exit-code --no-patch --merge-base origin/main CHANGELOG.md 2> /dev/null && echo 0 || echo $?)" >> "$GITHUB_ENV" | |
- name: "Report unchanged" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) && env.CHANGES == '0' | |
uses: actions/[email protected] | |
with: | |
script: | | |
core.setFailed('Changelog has not changed') | |
change-log-entry-is-in-unreleased: | |
if: github.event.pull_request.draft == false | |
# As LibGit2Sharp doesn't work on 20.04 | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Get version from global.json" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
uses: credfeto/[email protected] | |
with: | |
file: src/global.json | |
fallback: 8.0.* | |
- name: "Install dotnet" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{secrets.SOURCE_PUSH_TOKEN}} | |
DDOTNET_ROOT: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}" | |
DOTNET_INSTALL_DIR: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}" | |
DOTNET_MULTILEVEL_LOOKUP: "false" | |
DOTNET_NOLOGO: "true" | |
DOTNET_PRINT_TELEMETRY_MESSAGE: "false" | |
DOTNET_JitCollect64BitCounts: "1" | |
DOTNET_ReadyToRun: "0" | |
DOTNET_TC_QuickJitForLoops: "1" | |
DOTNET_TC_CallCountingDelayMs: "0" | |
DOTNET_TieredPGO: "1" | |
MSBUILDTERMINALLOGGER: "auto" | |
with: | |
dotnet-version: | | |
6.0.* | |
7.0.* | |
8.0.* | |
${{env.DOTNET_VERSION}} | |
- name: "Check Runner details" | |
uses: actions/[email protected] | |
with: | |
script: | | |
core.info('Name: ${{runner.name}}'); | |
core.info('OS: ${{runner.os}}'); | |
- name: "Enable Local nuget feeds if caching" | |
if: startsWith(runner.name, 'buildagent-') | |
id: nuget-local-cache | |
shell: bash | |
run: | | |
{ | |
echo "NUGET_BAGET_CACHE=${{vars.NUGET_BAGET_CACHE}}" | |
echo "PRERELEASE_BAGET_CACHE=${{vars.PRERELEASE_BAGET_CACHE}}" | |
echo "RELEASE_BAGET_CACHE=${{vars.RELEASE_BAGET_CACHE}}" | |
}>> "$GITHUB_OUTPUT" | |
- name: "Configure nuget feeds" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
uses: ./.github/actions/nuget | |
with: | |
NUGET_PUBLIC_RESTORE_FEED_CACHE: ${{steps.nuget-local-cache.outputs.NUGET_BAGET_CACHE}} | |
NUGET_PUBLIC_RESTORE_FEED: ${{vars.NUGET_PUBLIC_RESTORE_FEED}} | |
NUGET_ADDITIONAL_RESTORE_FEED_RELEASE_CACHE: ${{steps.nuget-local-cache.outputs.RELEASE_BAGET_CACHE}} | |
NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE_CACHE: "" | |
NUGET_ADDITIONAL_RESTORE_FEED_RELEASE: ${{vars.NUGET_ADDITIONAL_RESTORE_FEED_RELEASE}} | |
NUGET_ADDITIONAL_RESTORE_FEED_PRERELEASE: "" | |
- name: "Enable dotnet tools" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
shell: bash | |
run: dotnet new tool-manifest | |
env: | |
DDOTNET_ROOT: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}" | |
DOTNET_INSTALL_DIR: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}" | |
DOTNET_MULTILEVEL_LOOKUP: "false" | |
DOTNET_NOLOGO: "true" | |
DOTNET_PRINT_TELEMETRY_MESSAGE: "false" | |
DOTNET_JitCollect64BitCounts: "1" | |
DOTNET_ReadyToRun: "0" | |
DOTNET_TC_QuickJitForLoops: "1" | |
DOTNET_TC_CallCountingDelayMs: "0" | |
DOTNET_TieredPGO: "1" | |
MSBUILDTERMINALLOGGER: "auto" | |
- name: "Install Changelog tool" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
uses: ./.github/actions/dotnet-tool | |
with: | |
TOOL_NAME: Credfeto.ChangeLog.Cmd | |
TOOL_VERSION: latest | |
- name: "Check Changelog" | |
if: (github.actor != 'dependabot[bot]' && !endsWith(github.repository , '-template')) | |
shell: bash | |
run: dotnet changelog --changelog CHANGELOG.md --check-insert "origin/${{github.base_ref}}" | |
env: | |
DDOTNET_ROOT: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}" | |
DOTNET_INSTALL_DIR: "${{github.workspace}}/.dotnet/${{github.sha}}-${{github.run_id}}-${{github.run_number}}-${{github.run_attempt}}" | |
DOTNET_MULTILEVEL_LOOKUP: "false" | |
DOTNET_NOLOGO: "true" | |
DOTNET_PRINT_TELEMETRY_MESSAGE: "false" | |
DOTNET_JitCollect64BitCounts: "1" | |
DOTNET_ReadyToRun: "0" | |
DOTNET_TC_QuickJitForLoops: "1" | |
DOTNET_TC_CallCountingDelayMs: "0" | |
DOTNET_TieredPGO: "1" | |
MSBUILDTERMINALLOGGER: "auto" | |
does-not-contain-secrets: | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Check for leaks" | |
uses: DariuszPorowski/[email protected] | |
id: gitleaks | |
with: | |
config: .gitleaks.toml | |
report_format: "sarif" | |
fail: true | |
redact: true | |
verbose: true | |
log_level: info | |
has-no-merge-conflicts: | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Check for merge conflicts" | |
uses: olivernybroe/[email protected] | |
has-no-file-or-folder-case-sensitivity-issues: | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Check for case conflicts" | |
uses: credfeto/[email protected] | |
no-ignored-files: | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Check for ignored files" | |
uses: credfeto/[email protected] | |
dependency-review: | |
# Check that there are no dependencies with security problems in the PR | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Check repo visibility" | |
uses: credfeto/[email protected] | |
id: visibility | |
with: | |
# optional parameter defaults to the current repo | |
repository: ${{github.repository}} | |
# optional parameter defaults to the current user | |
token: ${{github.token}} | |
- name: "Checkout Source" | |
if: steps.visibility.outputs.is_public == 'true' | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: 'Dependency Review' | |
if: steps.visibility.outputs.is_public == 'true' | |
uses: actions/[email protected] | |
no-merge-commits: | |
# Check that there are no merge commits in the PR | |
if: github.event.pull_request.draft == false | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Check for merge commits" | |
uses: greenled/[email protected] | |
lint-code: | |
if: |- | |
github.event.pull_request.draft == false && | |
( !startsWith(github.head_ref, 'release/') && !startsWith(github.head_ref, 'hotfix/') ) | |
runs-on: [self-hosted, linux] | |
steps: | |
- name: "Initialise Workspace" | |
if: startsWith(runner.name, 'buildagent-') | |
shell: bash | |
run: sudo chown -R "$USER:$USER" "$GITHUB_WORKSPACE" | |
- name: "Harden Security" | |
uses: step-security/[email protected] | |
with: | |
egress-policy: audit | |
disable-sudo: true | |
allowed-endpoints: > | |
api.github.com:443 | |
api.osv.dev:443 | |
api.securityscorecards.dev:443 | |
codeload.github.com:443 | |
fulcio.sigstore.dev:443 | |
github.com:443 | |
oss-fuzz-build-logs.storage.googleapis.com:443 | |
rekor.sigstore.dev:443 | |
tuf-repo-cdn.sigstore.dev:443 | |
www.bestpractices.dev:443 | |
- name: "Checkout Source" | |
uses: actions/[email protected] | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
- name: "Run Linter" | |
uses: github/super-linter@v6 | |
env: | |
DEFAULT_BRANCH: main | |
GITHUB_TOKEN: ${{secrets.SOURCE_PUSH_TOKEN}} | |
MULTI_STATUS: true | |
VALIDATE_ALL_CODEBASE: false | |
VALIDATE_ANSIBLE: true | |
VALIDATE_BASH: true | |
VALIDATE_CSS: true | |
VALIDATE_ENV: true | |
VALIDATE_DOCKERFILE: true | |
VALIDATE_DOCKERFILE_HADOLINT: true | |
VALIDATE_GITHUB_ACTIONS: true | |
VALIDATE_JSON: true | |
VALIDATE_MD: true | |
VALIDATE_POWERSHELL: true | |
VALIDATE_PYTHON: true | |
VALIDATE_PYTHON_PYLINT: true | |
VALIDATE_SQL: true | |
VALIDATE_TYPESCRIPT_ES: true | |
VALIDATE_XML: true | |
VALIDATE_YAML: true |