From dd7a421cfc4249a21e11d32660297ecf88ebeb37 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:04:55 -0800 Subject: [PATCH 1/3] simplify dependency review workflow --- .github/workflows/dependency-review.yml | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 63ae082c..3c58ad21 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,17 +16,6 @@ permissions: jobs: - dependency-submission: - runs-on: ubuntu-22.04 - permissions: - id-token: write - contents: write - - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Component detection - uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 - dependency-review: runs-on: ubuntu-22.04 permissions: @@ -37,6 +26,9 @@ jobs: - name: 'Checkout Repository' uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Component detection + uses: advanced-security/component-detection-dependency-submission-action@v0.0.2 + - name: 'Dependency Review' uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0 with: From edcbb6bc2effbf6afcfee8632c267bd31e448234 Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:43:42 -0800 Subject: [PATCH 2/3] add write permissions for SBOM upload workflow --- .github/workflows/sbom-generate-submit.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml index 240f752e..a89ece22 100644 --- a/.github/workflows/sbom-generate-submit.yml +++ b/.github/workflows/sbom-generate-submit.yml @@ -2,7 +2,7 @@ name: SBOM Generate and Submit on: push: - branches: [ "development", "release" ] + branches: [ "main", "release", "development", "nam20485" ] workflow_dispatch: permissions: @@ -11,7 +11,9 @@ permissions: jobs: build: runs-on: ubuntu-22.04 - permissions: read-all + permissions: + id-token: write + contents: write steps: - name: Checkout Code @@ -26,5 +28,5 @@ jobs: - name: SBOM Upload uses: advanced-security/spdx-dependency-submission-action@v0.0.1 with: - filePath: ${{steps.sbom-generate.outputs.fileName }} + filePath: ${{ steps.sbom-generate.outputs.fileName }} \ No newline at end of file From ccdca91eb2655763de5a97575a794ef69f09488d Mon Sep 17 00:00:00 2001 From: Nathan Miller Date: Sun, 11 Feb 2024 21:48:52 -0800 Subject: [PATCH 3/3] make OdbDesignTestData repo public and use default token to access --- .github/workflows/cmake-multi-platform.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml index ea553934..24c34d67 100644 --- a/.github/workflows/cmake-multi-platform.yml +++ b/.github/workflows/cmake-multi-platform.yml @@ -148,7 +148,7 @@ jobs: repository: 'nam20485/OdbDesignTestData' path: 'OdbDesignTestData' ref: 'main' - token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }} + #token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }} - name : Export ODB_TEST_DATA_DIR uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1