From e6e09c9984800898fadb0e47cffee455847d388b Mon Sep 17 00:00:00 2001 From: "pleo-file-distributor[bot]" <114988919+pleo-file-distributor[bot]@users.noreply.github.com> Date: Wed, 1 May 2024 11:47:26 +0000 Subject: [PATCH] chore(ci-deps): Update files based on repository configuration --- .github/workflows/close-stale-prs.yaml | 36 +++++ .github/workflows/codeql-analysis.yaml | 174 +++++++++++++++++++++++++ .github/workflows/pr-help.yaml | 42 ++++++ 3 files changed, 252 insertions(+) create mode 100644 .github/workflows/close-stale-prs.yaml create mode 100644 .github/workflows/codeql-analysis.yaml create mode 100644 .github/workflows/pr-help.yaml diff --git a/.github/workflows/close-stale-prs.yaml b/.github/workflows/close-stale-prs.yaml new file mode 100644 index 0000000..64cb720 --- /dev/null +++ b/.github/workflows/close-stale-prs.yaml @@ -0,0 +1,36 @@ +# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY +# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY: +# - centralized-templates +# FILE STEWARD: @pleo-io/team-devx,@pleo-bot-auto-approver + +# Warn and later close PRs that have had no activity for a specified amount of time. +# This reminds us that code in most cases only provide value once merged. + +name: "Close Stale PRs" +on: + schedule: + - cron: "0 9,16 * * *" + +jobs: + stale: + runs-on: ubuntu-latest + timeout-minutes: 10 + permissions: + contents: write + issues: write + pull-requests: write + steps: + - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # v9.0.0 + with: + stale-pr-label: stale + exempt-pr-labels: never-stale,dependencies + stale-pr-message: | + This PR is marked as stale since it has been open for 30 days with no activity. + + Remove the stale label or make a comment, otherwise the PR will be closed in 7 days. + close-pr-message: "This PR was closed because it has been stale for 7 days with no activity." + days-before-issue-stale: -1 + days-before-pr-stale: 30 + days-before-issue-close: -1 + days-before-pr-close: 7 + start-date: "2023-01-12" diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml new file mode 100644 index 0000000..7f643c2 --- /dev/null +++ b/.github/workflows/codeql-analysis.yaml @@ -0,0 +1,174 @@ +# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY +# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY: +# - centralized-templates +# FILE STEWARD: @pleo-io/security + +name: CodeQL Analysis + +on: + push: + branches: + - main + - master + - develop + pull_request: + branches: + - main + - master + - develop + +env: + language_Kotlin: "java" + language_Java: "java" + language_Go: "go" + language_Python: "python" + language_JavaScript: "javascript" + language_TypeScript: "javascript" + WORKING_LANGUAGE: "" + CONFIG_FILE: "" + RUN_ON_DEFAULT_BRANCH: true + GRADLE_SCRIPT_PATH: ./gradlew + setWizCliDepsScanPath: . + setWizCliDepsPolicy: Pleo-Default-vulnerabilities-policy + +jobs: + preflight: + name: Determine if CodeQL should run + runs-on: ubuntu-latest + outputs: + should_run_analyze: ${{ steps.maybe_skip_analyze.outputs.should_run_analyze }} + working_language: ${{steps.working_language_step.outputs.WORKING_LANGUAGE}} + steps: + - uses: winterjung/split@a211a1c46e35fcdc4097d59dd6282d4a9859651b # v2 + id: split + with: + msg: ${{ github.repository }} + separator: "/" + - id: get_default_branch + name: Determine our default branch + uses: octokit/request-action@v2.x + with: + route: GET /repos/{owner}/{repo} + owner: ${{ github.repository_owner }} + repo: ${{ steps.split.outputs._1 }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - id: set_default_branch + name: Set our default branch + run: echo "DEFAULT_BRANCH=${{ fromJson(steps.get_default_branch.outputs.data).default_branch }}" >> "$GITHUB_ENV" + - id: maybe_skip_analyze + name: Check if analyze should run + shell: bash + run: | + if [[ "${{ env.RUN_ON_DEFAULT_BRANCH }}" == "false" && "${{ github.ref }}" == "refs/heads/${{ env.DEFAULT_BRANCH }}" && "${{ github.event_name }}" == "push" ]]; then + echo "Skipping CodeQL analysis on main branch due to configuration" + echo "should_run_analyze=false" >> "$GITHUB_OUTPUT" + else + echo "Running CodeQL analysis" + echo "should_run_analyze=true" >> "$GITHUB_OUTPUT" + fi + - id: working_language_step + name: We check if the repository language is supported by CodeQL + run: echo "WORKING_LANGUAGE=${{env[format('language_{0}', github.event.repository.language)]}}" >> "$GITHUB_OUTPUT" + + wiz-cli: + name: Scan Dependencies with Wiz CLI + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Check out repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 + + - name: Check latest version of Wiz CLI + id: version_check + run: | + raw_output=$(curl -sL https://wizcli.app.wiz.io/latest/wizcli-version) + LATEST_VERSION=$(echo "$raw_output" | grep -oP '"\K[^-]*' | head -1) + COMPLETE_VERSION=$(echo "$raw_output" | grep -oP '(?<=").*?(?=")') + echo "version=$LATEST_VERSION" >> "$GITHUB_OUTPUT" + echo "complete_version=$COMPLETE_VERSION" >> "$GITHUB_OUTPUT" + + - name: Cache Wiz CLI + uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4 + id: cache_wizcli + with: + path: wizcli-${{ steps.version_check.outputs.version }} + key: wizcli-${{ steps.version_check.outputs.version }} + + - name: Download Wiz CLI + if: steps.cache_wizcli.outputs.cache-hit != 'true' + run: curl -o wizcli-${{ steps.version_check.outputs.version }} https://wizcli.app.wiz.io/${{ steps.version_check.outputs.complete_version }}/wizcli && chmod +x wizcli-${{ steps.version_check.outputs.version }} + + - name: Authenticate to Wiz + env: + WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }} + WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }} + run: ./wizcli-${{ steps.version_check.outputs.version }} auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET" + + - name: Run wiz CLI Dependency Scan + run: ./wizcli-${{ steps.version_check.outputs.version }} dir scan --path "${{ env.setWizCliDepsScanPath }}" --policy "${{ env.setWizCliDepsPolicy }}" + + analyze-code: + name: Analyze code with CodeQL + if: ${{ (needs.preflight.outputs.should_run_analyze == 'true') && (needs.preflight.outputs.working_language != '')}} + needs: + - preflight + - wiz-cli + runs-on: codeql-runner + timeout-minutes: 30 + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 + - name: Set Working Language + run: echo "WORKING_LANGUAGE=${{needs.preflight.outputs.working_language}}" >> "$GITHUB_ENV" + # Set up a JDK environment for building, testing and releasing. + - name: Set up JDK 17 + uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + if: ${{ env.WORKING_LANGUAGE == 'java' }} + with: + java-version: 17 + distribution: temurin + + # Allow caching Gradle executions to further speed up CI/CD steps invoking Gradle. + - name: Setup Gradle + uses: gradle/actions/setup-gradle@db19848a5fa7950289d3668fb053140cf3028d43 # v3.3.2 + if: ${{ env.WORKING_LANGUAGE == 'java' }} + with: + gradle-version: wrapper + cache-read-only: true + + # Set up a Node environment for JS/TS/Node client generation. + - name: Set up Node 20 + uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4 + if: ${{ env.WORKING_LANGUAGE == 'javascript' }} + with: + node-version: 20 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3 + with: + languages: ${{ github.event.repository.language }} + ram: 4096 + queries: security-and-quality + tools: latest + config-file: ${{ env.CONFIG_FILE }} + + - name: Gradle Build + run: ${{ env.GRADLE_SCRIPT_PATH }} classes testClasses --stacktrace -Dorg.gradle.jvmargs=-Xmx4g -Dorg.gradle.parallel=true + if: ${{ env.WORKING_LANGUAGE == 'java' }} + env: + GITHUB_TOKEN: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }} + GRADLE_READ_KEY: ${{ secrets.GH_REGISTRY_GRADLE_TOKEN }} + JOB_RUNR_REPO_PASSWORD: ${{ secrets.JOB_RUNR_REPO_PASSWORD }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3 + with: + ram: 4096 diff --git a/.github/workflows/pr-help.yaml b/.github/workflows/pr-help.yaml new file mode 100644 index 0000000..43dbf79 --- /dev/null +++ b/.github/workflows/pr-help.yaml @@ -0,0 +1,42 @@ +# THIS CODE WAS AUTOGENERATED. DO NOT MODIFY THIS FILE DIRECTLY +# THE SOURCE CODE LIVES IN A DIFFERENT REPOSITORY: +# - centralized-templates +# FILE STEWARD: @pleo-io/team-devx,@pleo-bot-auto-approver + +name: Check PR +on: + pull_request: + types: + - assigned + - unassigned + - labeled + - unlabeled + - opened + - edited + - closed + - reopened + - synchronize + - ready_for_review + - locked + - unlocked + - review_requested + - review_request_removed + +concurrency: + group: ci-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +env: + autoApproveEnabled: true + +jobs: + auto-approve-pr: + runs-on: ubuntu-latest + name: Auto-approve PR + if: ${{ contains(fromJSON('["pleo-bot-renovate", "pleo-file-distributor[bot]"]'), github.actor) && contains(github.event.pull_request.labels.*.name, 'autoapprove') }} + steps: + - uses: hmarr/auto-approve-action@v3 + if: env.autoApproveEnabled == 'true' + with: + github-token: ${{ secrets.PLEO_BOT_AUTO_APPROVER_TOKEN }} + review-message: "This has been auto-approved by @pleo-bot-auto-approver. If your PR isn't being auto-merged as desired, make sure to add @pleo-bot-auto-approver to the CODEOWNERS file. More details how to use Renovate [here](https://www.notion.so/pleo/How-to-use-Renovate-781e4861200744c6b38d3efd8c6d525a?pvs=4)"