diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..7d1b05dcc --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,44 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '37 20 * * 1' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + + steps: + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 + with: + languages: ${{ matrix.language }} + + - name: Autobuild + uses: github/codeql-action/autobuild@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3b1a19a80ab047f35cbb237b5bd9bdc1e14f166c # v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index c5586c878..7297495bd 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -18,17 +18,20 @@ jobs: permissions: contents: read - id-token: write pull-requests: write + strategy: + matrix: + node-version: [22] + steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20.x + node-version: ${{ matrix.node-version }} - name: Install dependencies run: npm ci @@ -40,6 +43,4 @@ jobs: run: npm run test - name: Codecov - uses: codecov/codecov-action@v6 - with: - use_oidc: true + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 diff --git a/.github/workflows/cve-scanning.yml b/.github/workflows/cve-scanning.yml index da3c29b1a..ecb3b21d0 100644 --- a/.github/workflows/cve-scanning.yml +++ b/.github/workflows/cve-scanning.yml @@ -25,15 +25,12 @@ permissions: jobs: build: runs-on: ubuntu-latest - strategy: - matrix: - node-version: [20] steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Use Node.js ${{ matrix.node-version }} + - name: Use Node.js 22 uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 with: - node-version: ${{ matrix.node-version }} + node-version: 22 - run: npm install @@ -44,8 +41,12 @@ jobs: working-directory: website - run: npx --yes auditjs ossi --whitelist allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }} - if: success() || failure() + env: + HAS_SECRET: ${{ secrets.OSS_INDEX_USERNAME != '' }} + if: (success() || failure()) && env.HAS_SECRET == 'true' - run: npx --yes auditjs ossi --whitelist ../allow-list.json -u ${{ secrets.OSS_INDEX_USERNAME }} -p ${{ secrets.OSS_INDEX_TOKEN }} working-directory: website - if: success() || failure() + env: + HAS_SECRET: ${{ secrets.OSS_INDEX_USERNAME != '' }} + if: (success() || failure()) && env.HAS_SECRET == 'true' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2ada3d0a8..40236d53c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,12 +19,12 @@ jobs: publish_tag: ${{ steps.version.outputs.publish_tag }} steps: - name: Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Configure Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20 + node-version: 22 - name: Install dependencies run: npm ci @@ -66,7 +66,7 @@ jobs: ls -1 *.tgz - name: Upload packed artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: npm-tarballs path: | @@ -80,15 +80,15 @@ jobs: needs: build_and_pack steps: - name: Download packed artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-tarballs path: ./dist-tarballs - name: Configure Node for npmjs.org - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20 + node-version: 22 registry-url: https://registry.npmjs.org always-auth: true @@ -111,15 +111,15 @@ jobs: needs: build_and_pack steps: - name: Download packed artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-tarballs path: ./dist-tarballs - name: Configure Node for GitHub Packages - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 20 + node-version: 22 registry-url: https://npm.pkg.github.com scope: '@finos' always-auth: true diff --git a/README.md b/README.md index df6ad9304..0c4da1896 100755 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ [![Slack](https://img.shields.io/badge/slack-@finos/fdc3-green.svg?logo=slack)](https://finos-lf.slack.com/messages/fdc3/) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/6579/badge)](https://bestpractices.coreinfrastructure.org/projects/6579) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/finos/FDC3/badge)](https://scorecard.dev/viewer/?uri=github.com/finos/FDC3) +[![Codecov](https://codecov.io/gh/finos/FDC3/branch/main/graph/badge.svg)](https://codecov.io/gh/finos/FDC3) ## What Is It?