merge main into release (#96)

.github/codeql-config.yml

@@ -0,0 +1,20 @@
+name: CodeQL Config
+
+# paths-ignore only works for interpreted languages (i.e. not C/C++)
+
+# paths:
+#   - /home/runner/work/OdbDesign/OdbDesign/OdbDesignServer
+#   - /home/runner/work/OdbDesign/OdbDesign/OdbDesignApp
+#   - /home/runner/work/OdbDesign/OdbDesign/OdbDesignTests
+#   - /home/runner/work/OdbDesign/OdbDesign/OdbDesignLib
+#   - /home/runner/work/OdbDesign/OdbDesign/Utils
+
+#paths-ignore:
+#  - /home/runner/work/OdbDesign/OdbDesign/vcpkg/**/*
+#  - /home/runner/work/OdbDesign/OdbDesign/out/build/linux-release/vcpkg_installed/**/*
+
+#queries:
+#  - uses: security
+  #- uses: security-and-quality
+  #- security-experimental
+  #- security-extended

.github/dependabot.yml

@@ -0,0 +1,16 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: pip
+    directory: /PyOdbDesignServer
+    schedule:
+      interval: daily
+
+  - package-ecosystem: docker
+    directory: /
+    schedule:
+      interval: daily

.github/workflows/cmake-multi-platform.yml

@@ -8,7 +8,7 @@ on:
     branches: [ "development", "main", "release" ]  
 
 permissions:
-  contents: write  
+  contents: read  
 
 env:
   VCPKG_ROOT: ${{ github.workspace }}/vcpkg
@@ -23,6 +23,8 @@ jobs:
   build:
     name: CMake-Multi-Platform-Build
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: write
 
     strategy:
       # Set fail-fast to false to ensure that feedback is delivered for all matrix combinations. Consider changing this to true when your workflow is stable.
@@ -49,14 +51,14 @@ jobs:
     steps:   
 
     - name: Checkout Repository
-      uses: actions/checkout@v3 
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # add problem matchers by compiler
     - name: Add Problem Matchers
-      uses: ammaraskar/msvc-problem-matcher@master
+      uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master
       if: matrix.os == 'windows-2022'
     - name: Add Problem Matchers
-      uses: ammaraskar/gcc-problem-matcher@master
+      uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
       if: matrix.os != 'windows-2022'
 
     - name: Install vcpkg Dependencies
@@ -76,12 +78,12 @@ jobs:
       if: matrix.os != 'windows-2022'
 
     - name: Install Ninja    
-      uses: seanmiddleditch/gha-setup-ninja@master
+      uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2 # master
       if: matrix.os != 'windows-2022'
 
     # Export vcpkg Cache Variables
     - name : Export vcpkg Cache Variables
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       with:
         script: |
           core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
@@ -100,7 +102,7 @@ jobs:
     #   os == windows-2022
     #
     - name: Setup VC Tools
-      uses: ilammy/msvc-dev-cmd@v1
+      uses: ilammy/msvc-dev-cmd@cec98b9d092141f74527d0afa6feb2af698cfe89 # v1.12.1
       if: matrix.os == 'windows-2022'
 
     - name: Patch vcpkg
@@ -174,12 +176,16 @@ jobs:
         Compress-Archive -Path "${{env.ARTIFACTS_DIR_WIN}}\*.dll","${{env.ARTIFACTS_DIR_WIN}}\*.exe"  -DestinationPath "${{env.ARTIFACTS_DIR_WIN}}\artifacts-${{matrix.os}}.zip" -Verbose -Force
 
     - name: Upload Artifacts
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: ${{ matrix.os }}-artifacts
         path: ${{ env.ARTIFACTS_DIR }}/artifacts-${{matrix.os}}.zip
         retention-days: 1
 
+  #
+  # Create Release job
+  #
+
   release:
     # only on pushes to the release branch
     name: Create Release
@@ -192,13 +198,40 @@ jobs:
     steps:
 
       - name: Checkout Repository
-        uses: actions/checkout@v3 
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # download the artifacts
       - name: "Download artifacts"
-        uses: "actions/download-artifact@v2"
+        uses: "actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a" # v3.0.2
         with:
-          path: ${{ github.workspace }}/artifacts
+          path: ${{ github.workspace }}/artifacts     
+
+      - name: Rename Artifacts
+        run: |
+          mv ${{ github.workspace }}/artifacts/ubuntu-22.04-artifacts/artifacts-ubuntu-22.04.zip ${{ github.workspace }}/artifacts/OdbDesign-Linux-x64.zip
+          mv ${{ github.workspace }}/artifacts/windows-2022-artifacts/artifacts-windows-2022.zip ${{ github.workspace }}/artifacts/OdbDesign-Windows-x64.zip
+          mv ${{ github.workspace }}/artifacts/macos-12-artifacts/artifacts-macos-12.zip ${{ github.workspace }}/artifacts/OdbDesign-MacOS-x64.zip
+
+      - name: Generate SHA256 Sums
+        run: |
+          # sha256
+          cd ${{ github.workspace }}/artifacts
+          sha256sum OdbDesign-Linux-x64.zip > OdbDesign-Linux-x64.zip.sha256sum
+          sha256sum OdbDesign-Windows-x64.zip > OdbDesign-Windows-x64.zip.sha256sum
+          sha256sum OdbDesign-MacOS-x64.zip > OdbDesign-MacOS-x64.zip.sha256sum          
+
+      - name: Import GPG Key
+        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
+        with:
+          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+          passphrase: ${{ secrets.PASSPHRASE }}
+
+      - name: Sign Binaries
+        run: |
+          cd ${{ github.workspace }}/artifacts
+          gpg --batch --yes --detach-sign --armor OdbDesign-Linux-x64.zip
+          gpg --batch --yes --detach-sign --armor OdbDesign-Windows-x64.zip
+          gpg --batch --yes --detach-sign --armor OdbDesign-MacOS-x64.zip
 
       - name: Create Release Variables
         run: |
@@ -209,50 +242,52 @@ jobs:
           export RELEASE_NAME="OdbDesign ${RELEASE_TAG}"
           echo "RELEASE_NAME=$RELEASE_NAME" >> $GITHUB_ENV
 
-      - name: Rename Artifacts
-        run: |
-          mv ${{ github.workspace }}/artifacts/ubuntu-22.04-artifacts/artifacts-ubuntu-22.04.zip ${{ github.workspace }}/artifacts/OdbDesign-Linux-x64.zip
-          mv ${{ github.workspace }}/artifacts/windows-2022-artifacts/artifacts-windows-2022.zip ${{ github.workspace }}/artifacts/OdbDesign-Windows-x64.zip
-          mv ${{ github.workspace }}/artifacts/macos-12-artifacts/artifacts-macos-12.zip ${{ github.workspace }}/artifacts/OdbDesign-MacOS-x64.zip
-
       # create a release
       - name: "Create GitHub Release"
-        uses: "actions/github-script@v6"
+        uses: "actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410" # v6.4.1
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
-            try {             
-                const createResponse = await github.rest.repos.createRelease({
-                generate_release_notes: true,
-                name: process.env.RELEASE_NAME,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                tag_name: process.env.RELEASE_TAG,
-                body: require('fs').readFileSync('${{ github.workspace }}/release/release-body.md', 'utf8'),
-                target_commitish: '${{ github.ref_name }}'
+            try {       
+              const createResponse = await github.rest.repos.createRelease({
+                  generate_release_notes: true,
+                  name: process.env.RELEASE_NAME,
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  tag_name: process.env.RELEASE_TAG,
+                  body: require('fs').readFileSync('${{ github.workspace }}/release/release-body.md', 'utf8'),
+                  target_commitish: '${{ github.ref_name }}'
               });
           
-              const filenames = [ 
-                  'OdbDesign-Linux-x64.zip',
-                  'OdbDesign-Windows-x64.zip',
-                  'OdbDesign-MacOS-x64.zip'
+              const files =
+              [ 
+                  { name: 'OdbDesign-Linux-x64.zip',  contentType: 'application/zip' },
+                  { name: 'OdbDesign-Linux-x64.zip.sha256sum', contentType: 'text/plain' },
+                  { name: 'OdbDesign-Linux-x64.zip.asc', contentType: 'text/plain' },
+                  { name: 'OdbDesign-Windows-x64.zip', contentType: 'application/zip' },
+                  { name: 'OdbDesign-Windows-x64.zip.sha256sum', contentType: 'text/plain' },
+                  { name: 'OdbDesign-Windows-x64.zip.asc', contentType: 'text/plain' },
+                  { name: 'OdbDesign-MacOS-x64.zip', contentType: 'application/zip' },
+                  { name: 'OdbDesign-MacOS-x64.zip.sha256sum', contentType: 'text/plain' },
+                  { name: 'OdbDesign-MacOS-x64.zip.asc', contentType: 'text/plain' }       
               ];
+          
+              const artifactsPath = '${{ github.workspace }}/artifacts';
               
-              for (const filename of filenames) {                  
-                  const artifactsPath = '${{ github.workspace }}/artifacts';
-                  const filePath = artifactsPath +'/' + filename;
+              for (const file of files) {                        
+                  const filePath = artifactsPath +'/' + file.name;
                   const uploadResponse = await github.rest.repos.uploadReleaseAsset({
                       owner: context.repo.owner,
                       repo: context.repo.repo,
                       release_id: createResponse.data.id,        
-                      name: filename,            
+                      name: file.name,            
                       data: require('fs').readFileSync(filePath),
                       headers: {
-                      'content-type': 'application/zip',
-                      'content-length': require('fs').statSync(filePath).size
+                          'content-type': file.contentType,
+                          'content-length': require('fs').statSync(filePath).size
                       }    
                   });
               }
             } catch (error) {
                 core.setFailed(error.message);
-            }               
+            }         

.github/workflows/codeql.yml

@@ -21,6 +21,9 @@ env:
   VCPKG_ROOT: ${{ github.workspace }}/vcpkg
   VCPKG_BINARY_SOURCES: 'clear;x-gha,readwrite'
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: CodeQL-Security-Scan
@@ -34,32 +37,32 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ 'cpp' ]
+        language: [ 'c-cpp' ]
         # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
       with:        
         languages: ${{ matrix.language }}
-        config-file: ${{ github.workspace }}/.github/codeql/codeql-config.yml        
+        config-file: ${{ github.workspace }}/.github/codeql-config.yml        
 
     - name: Install vcpkg
       run: |               
         git clone --depth 1 https://github.com/Microsoft/vcpkg.git ${{env.VCPKG_ROOT}}
         "${{env.VCPKG_ROOT}}/bootstrap-vcpkg.sh"            
       
     - name: Install Ninja    
-      uses: seanmiddleditch/gha-setup-ninja@master
+      uses: seanmiddleditch/gha-setup-ninja@8b297075da4cd2a5f1fd21fe011b499edf06e9d2 # master
 
     # Export vcpkg Cache Variables
     - name : Export vcpkg Cache Variables
-      uses: actions/github-script@v6
+      uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
       with:
         script: |
           core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
@@ -75,6 +78,6 @@ jobs:
       run: cmake --build --preset linux-release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/dependency-review.yml

@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0

.github/workflows/msvc.yml → .github/workflows/disabled/msvc.yml

@@ -33,18 +33,18 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
        # Export vcpkg Cache Variables
       - name : Export vcpkg Cache Variables
-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
             core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
       
       - name: Setup VC Tools
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@7315a94840631165970262a99c72cfb48a65d25d # v1.12.0
 
       - name: Patch vcpkg
         run: scripts/patch-vcpkg-install.ps1
@@ -73,13 +73,13 @@ jobs:
 
       # Upload SARIF file to GitHub Code Scanning Alerts
       - name: Upload SARIF to GitHub
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
         with:
           sarif_file: ${{ steps.run-analysis.outputs.sarif }}
 
       # Upload SARIF file as an Artifact to download and view
       - name: Upload SARIF as an Artifact
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: sarif-file
           path: ${{ steps.run-analysis.outputs.sarif }}

.github/workflows/python-publish.yml → .github/workflows/disabled/python-publish.yml

@@ -28,9 +28,9 @@ jobs:
         working-directory: PyOdbDesignLib
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: Set up Python
-      uses: actions/setup-python@v3
+      uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3.1.4
       with:
         python-version: '3.x'
     - name: Install dependencies