Skip to content

**REMINDER****IMPORTANT** **ACTION REQUIRED** Migration of ubuntu-latest label to platform-eng-ent-v2-dual #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 82 commits into
base: main
Choose a base branch
from
Open

**REMINDER****IMPORTANT** **ACTION REQUIRED** Migration of ubuntu-latest label to platform-eng-ent-v2-dual #108

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
82 commits
Select commit Hold shift + click to select a range
b30f5f7
use self hosted runner on platform for testing (#33)
thepoppingone Feb 9, 2023
f32fed8
Update README.md
thepoppingone Feb 9, 2023
0ae6396
Upgrade tfsec sarif action to silence warning set outputs (#34)
thepoppingone Feb 9, 2023
871f0d8
remove token input (#35)
thepoppingone Feb 9, 2023
84c3e02
Update README.md
thepoppingone Feb 9, 2023
5bc9925
Allow usage of both self-hosted and cloud runners on v2 (#38)
thepoppingone Feb 10, 2023
5c9d5f7
Make main branch the main branch again and do proper tagging from her…
thepoppingone Feb 13, 2023
34412a4
add dockerhub token (#41)
thepoppingone Feb 13, 2023
3ec6b4b
Only run docker login if credentials are provided via secrets (#42)
thepoppingone Feb 13, 2023
741596b
Cache TFLint plugins and use authenticated API calls (#43)
lawliet89 Feb 14, 2023
ad13f46
Refactor to run only against changed files (#44)
thepoppingone Feb 27, 2023
4471457
Fix merge group (#45)
thepoppingone Feb 27, 2023
52ffd70
Remove mistaken all files (#46)
thepoppingone Feb 27, 2023
82c54b2
revert to working copy (#48)
thepoppingone Feb 27, 2023
5bad83e
Allow pre-commit checks run during PRs and Merge Group event to be ju…
thepoppingone Feb 28, 2023
a14460c
Update terraform.yaml (#51)
thepoppingone Mar 1, 2023
d2e00db
Fix fork PR errors (#52)
thepoppingone Mar 2, 2023
3c18343
Update fortify-android.yaml
thepoppingone Mar 14, 2023
fe249b9
Add check for self hosted runners to install nodejs (#53)
thepoppingone Mar 29, 2023
9a6ef51
Fix TF lint need node requirement for self hosted runners
thepoppingone Mar 30, 2023
cc8b1c5
Skip tflint errors by default
thepoppingone Apr 5, 2023
ba509bf
new flag to make sure precommit skipping for changed files are enforced
thepoppingone Apr 5, 2023
ba588bd
Update terraform.yaml
thepoppingone Apr 5, 2023
98d06d3
Add pre-init hook for linting step too
lawliet89 Apr 11, 2023
9217084
Update terraform.yaml
thepoppingone Apr 13, 2023
f1043e8
Update terraform.yaml
thepoppingone Apr 13, 2023
91b3abd
use updated secrets for android repo
thepoppingone Apr 13, 2023
6a3537d
Remove actionlint yaml file
thepoppingone Apr 14, 2023
7831e2f
fix secret declaration
thepoppingone Apr 14, 2023
1d9a549
Add trivy scan (#54)
anuborah Apr 14, 2023
1146d1f
Add trivy scan (#55)
anuborah Apr 18, 2023
14a864a
remove docker login creds on workflow level
thepoppingone Apr 20, 2023
2bb94d5
Use manual init
thepoppingone Apr 21, 2023
37f937e
shift setup node upwards
thepoppingone Apr 21, 2023
2c50533
Remove manual init
thepoppingone Apr 21, 2023
442c5c1
add github security alerts issue create in JIRA (#56)
uchinda-sph Apr 21, 2023
0b434d1
Add trivy scan (#57)
anuborah Apr 27, 2023
f5d676f
update to correct branch name
thepoppingone Apr 27, 2023
c00a26f
update to correct branch name
thepoppingone Apr 27, 2023
ff85bfb
PFMENG-843 : Add newrelic deployment marker (#58)
smoneyan May 8, 2023
bdb0fff
Add helm install step to terraform ci (#59)
santhoshratala May 10, 2023
40f5615
Add helm install step in ci/linting (#60)
santhoshratala May 11, 2023
b020753
Enable authenticated req to increase rate limit (#63)
niroz89 Jun 7, 2023
1cca7b2
Fix for checkov external modules
thepoppingone Jun 16, 2023
802638e
fix spacing issue
thepoppingone Jun 16, 2023
1afdff7
Update terraform.yaml (#61)
thepoppingone Jun 27, 2023
e644675
hotfix wrong python version
thepoppingone Jun 27, 2023
a6a0541
test composite action (#65)
thepoppingone Jun 27, 2023
3fbbbf9
Test github action token as secrets
thepoppingone Jun 27, 2023
ab1ffdc
chore: update pre-commit hooks (#67)
github-actions[bot] Jun 27, 2023
1fa979b
Fix all checkov failing due to new TF module rule
thepoppingone Jun 27, 2023
9ea90cd
fix the filter parameter issue on tflint version (#68)
uchinda-sph Jul 4, 2023
0d50a36
Add skip path in checkov (#69)
smoneyan Jul 10, 2023
26e4e9f
Use LTS node 18 (#70)
thepoppingone Aug 17, 2023
8a1b51e
Pin tfsec version to v1.28.1 (#71) force merge to fix running workflows
thepoppingone Sep 8, 2023
7a6fe7e
Remove shellcheck from tf format checks (#72)
thepoppingone Sep 13, 2023
65350c2
Remove tfsec pin, it's fixed (#75)
niroz89 Sep 18, 2023
a117b94
add sonarqube workflow (#73)
hong-yi Sep 20, 2023
8c40013
chore: update pre-commit hooks (#76)
github-actions[bot] Sep 26, 2023
82b4aca
Temp force fix for terraform crash error
thepoppingone Oct 5, 2023
676da8c
force pin TF to 1.5.7
thepoppingone Oct 5, 2023
039b92e
chore: update pre-commit hooks (#77)
github-actions[bot] Oct 28, 2023
5b37482
Update autoupdate-pre-commit.yaml
thepoppingone Oct 30, 2023
fefbeec
Add trivy scan to replace tfsec (#78)
thepoppingone Oct 30, 2023
071d6fd
Remove duplicate tfsec (#80)
thepoppingone Oct 30, 2023
d943fb7
use latest TF version (#81)
thepoppingone Nov 10, 2023
2eb3035
patch last tf version
thepoppingone Nov 10, 2023
10494e2
Update aqua-security.yaml (#83)
sphmuthuraman Apr 9, 2024
539dbf7
PFMENG-1806 : Add option to skip framework in checkov (#84)
smoneyan Apr 25, 2024
ff3fcb1
PFMENG-1807 : Use checkov diff & Upgrade actions (#85)
smoneyan May 2, 2024
e2027d8
disable trivy sarif upload (#86)
zodilib May 2, 2024
40f81b0
Fix trivy scan and update (#88)
zodilib May 9, 2024
17f7082
revert fs to config and remove exit-code (#93)
zodilib May 15, 2024
94d66a1
Add CKV_TF_2 to the default ignored list in checkov (#94)
smoneyan May 16, 2024
2888843
Bump tflint ver (#96)
wayne-root May 29, 2024
5b1c150
update trivy (#97)
zodilib Jun 24, 2024
71451b5
[CIRDEVOPS-2553] Adds parameters to debug trivy issues (#99)
paul-ylz Jul 3, 2024
2880814
update GitHub Security Alerts for JIRA workflow (#103)
uchinda-sph Aug 7, 2024
1eb4e7e
switch to enable only format and validate (#105)
zodilib Oct 9, 2024
e096b31
[PFMENG-2716] fix v2 for dualstack
zodilib Feb 6, 2025
7f32b91
[PFMENG-2854] Use enterprise runner for newrelic deployment marker jo…
paul-ylz Feb 26, 2025
3335e45
[PFMENG-2831] migrate ubuntu-latest to gha dualstack runners
zodilib Mar 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 0 additions & 5 deletions .github/actionlint.yaml
View file
Open in desktop

This file was deleted.

3 changes: 3 additions & 0 deletions .github/workflows/actionlint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
self-hosted-runner:
labels:
- platform-eng-ent-v2-dual
27 changes: 27 additions & 0 deletions .github/workflows/advisor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
name: Permissions Advisor

permissions:
actions: read

on:
workflow_dispatch:
inputs:
#checkov:skip=CKV_GHA_7 allow user input for testing
name:
description: 'The name of the workflow file to analyze'
required: true
type: string
count:
description: 'How many last runs to analyze'
required: false
type: string
default: 10

jobs:
advisor:
runs-on: ubuntu-latest
steps:
- uses: GitHubSecurityLab/actions-permissions/advisor@v1
with:
name: ${{ inputs.name }}
count: ${{ inputs.count }}
174 changes: 174 additions & 0 deletions .github/workflows/aqua-security.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
name: 'Trivy Aqua Security Scan for Docker and ECR Reusable workflow'

on:
workflow_call:
inputs:
docker_file:
description: Name of the dockerfile
type: string
default: ./Dockerfile
required: false
docker_tag_name:
description: Provide the docker tag names
type: string
default: ''
required: false
docker_file_context:
description: Docker File Context
type: string
default: .
required: false
docker_tag_version:
description: Provide the docker tag names
type: string
default: 'latest'
required: false
docker_build_args:
description: "Multi-Line list of build args with key value"
type: string
required: false
default: ''
ecr_image_name:
description: ECR repo image to scan
type: string
required: false
ecr_tag_version:
description: ECR repo tag version to scan
type: string
required: false
default: 'latest'
aws_account_id:
description: "AWS account ID"
type: string
required: false
default: ''
aws_account_region:
description: "AWS account region"
type: string
required: false
default: ''
aws_iam_role_arn:
description: "AWS ARN IAM Role"
type: string
required: false
default: ''
trivy_format:
description: "Trivy format to log out the scan"
type: string
default: 'table'
required: false
upload_to_codeql:
description: "Upload SARIF to CodeQL"
type: boolean
default: false
required: false
default_runner_override_label:
description: "Change this to 'self-hosted' or 'ubuntu-latest'"
type: string
default: "ubuntu-latest"
required: false
runner_label:
description: "Runner label to point to self hosted runners"
type: string
default: "ubuntu-latest"
required: false
scan_type:
description: "Scan Type to be scanned"
type: string
default: 'docker'
required: false
scan_reference:
description: "Scan reference(e.g. /github/workspace/ or .)"
type: string
default: "."
required: false
skip_directories:
description: "Comma separated list of directories where traversal is skipped"
type: string
default: ""
required: false
secrets:
OAUTH_TOKEN:
description: Github Token for accessing other dependency private repo
required: false

jobs:
trivy-scan:
runs-on:
- ${{ inputs.default_runner_override_label }}
- ${{ inputs.runner_label }}
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set Variable
id: set-vars
run: |
if [ "${{ inputs.docker_tag_name }}" != "" ]; then
echo "file_output=trivy-results-docker.sarif" >> "$GITHUB_OUTPUT"
elif [ "${{ inputs.ecr_image_name }}" != "" ] && [ "${{ inputs.aws_account_id }}" != "" ]; then
echo "file_output=trivy-results-ecr.sarif" >> "$GITHUB_OUTPUT"
else
echo "file_output=trivy-results-fs.sarif" >> "$GITHUB_OUTPUT"
fi
shell: bash

- name: Configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-skip-session-tagging: true
role-to-assume: ${{ inputs.aws_iam_role_arn }}
role-session-name: gh-actions
aws-region: ${{ inputs.aws_account_region }}
if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.aws_account_id }}.dkr.ecr.${{ inputs.aws_account_region }}.amazonaws.com/${{ inputs.ecr_image_name}}:${{ inputs.ecr_tag_version }}
format: ${{ inputs.trivy_format }}
output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }}
if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') && (inputs.aws_account_id != '') }}

- name: Docker Build and Push
uses: docker/build-push-action@v6
with:
context: ${{ inputs.docker_file_context }}
file: ${{ inputs.docker_file }}
tags: ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }}
build-args: |
GITHUB_OAUTH_TOKEN=${{ secrets.OAUTH_TOKEN }}
${{ inputs.docker_build_args }}
push: false
if: ${{ inputs.docker_tag_name !='' }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }}
format: ${{ inputs.trivy_format }}
output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }}
ignore-unfixed: false
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
if: ${{ inputs.docker_tag_name !='' }}

- name: Run Trivy vulnerability scanner for Github Repo
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: ${{ inputs.scan_reference }}
ignore-unfixed: false
format: ${{ inputs.trivy_format }}
output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }}
severity: 'HIGH,CRITICAL,MEDIUM'
skip-dirs: ${{ inputs.skip_directories }}
if: ${{ inputs.scan_type == 'fs' }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.set-vars.outputs.file_output }}
if: ${{ inputs.upload_to_codeql }}
24 changes: 24 additions & 0 deletions .github/workflows/autoupdate-pre-commit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
name: Pre-commit auto-update

on:
# every sunday at midnight
schedule:
- cron: "0 0 * * 0"
# on demand
workflow_dispatch:

# Request from Org admin to allow Github Action workflow to make PR under Settings > Actions > General
permissions:
actions: read
checks: read
contents: write #require this to write to repo
pull-requests: write #require this to create PR

jobs:
auto-update:
runs-on: ubuntu-latest
steps:
- uses: SPHTech-Platform/gha-pre-commit-autoupdate@main
name: Update pre-commit config automatically
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
29 changes: 22 additions & 7 deletions .github/workflows/fortify-android.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,12 @@ on:
SSC_CI_TOKEN:
description: 'CIToken for service account'
required: true
PAT_TOKEN:
PACKAGE_READ_TOKEN:
description: 'User PAT Token - to be removed'
required: false
PACKAGE_READ_USERNAME:
description: 'User name of package user'
required: false
inputs:
APPLICATION:
description: 'Application Name'
Expand All @@ -31,17 +34,25 @@ on:
type: string
required: false
default: "app_bt"
default_runner_override_label:
description: Change this to "self-hosted" or "ubuntu-latest"
type: string
default: "ubuntu-latest"
runner_label:
description: Runner label to point to self hosted runners
type: string
default: "ubuntu-latest"

jobs:
FortifySourceAnalyzerAndroid:
timeout-minutes: 120
runs-on:
- self-hosted
- fortify-android
- ${{ inputs.default_runner_override_label }}
- ${{ inputs.runner_label }}
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
Expand All @@ -56,15 +67,19 @@ jobs:
run: |
{
echo "sdk.dir=/opt/android"
echo "GITHUB_USERNAME=$GITHUB_ACTOR"
echo "GITHUB_TOKEN=${{ secrets.PAT_TOKEN }}"
echo "GITHUB_TOKEN=${{ secrets.PACKAGE_READ_TOKEN }}"
echo "GITHUB_USERNAME=${{ secrets.PACKAGE_READ_USERNAME }}"
} >> ./local.properties
sourceanalyzer -b "$BUILD_ID" -clean
env:
BUILD_ID: ${{ inputs.BUILD_ID }}
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/opt/Fortify/bin/
# cat ./local.properties

# Legacy reference
# echo "GITHUB_USERNAME=$GITHUB_ACTOR"
# echo "GITHUB_TOKEN=${{ secrets.PAT_TOKEN }}"

### Start Fortify Translation ###
- name: Translate Code for Android Fortify Scan
run: sourceanalyzer -b "$BUILD_ID" -gradle -verbose -debug -logfile "${BUILD_ID}_trans.log" ./gradlew ":${BUILD_PREFIX}:${BUILD_ID}" -Pdisable-plugins -x test -x lint
Expand Down Expand Up @@ -96,7 +111,7 @@ jobs:

### Clean up of build folder
- name: Save sourceanalyzer Logs
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
if: failure()
with:
name: scancentral-logs
Expand Down
5 changes: 3 additions & 2 deletions .github/workflows/fortify-sarif-export.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,13 +41,14 @@ jobs:
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
- name: Setup Java
uses: actions/setup-java@v1
uses: actions/setup-java@v4
with:
distribution: zulu
java-version: 11
# Pull SAST issues from Fortify on Demand and generate GitHub-optimized SARIF output
- name: Export Results
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/fortify.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ jobs:
steps:
# Check out source code
- name: Check Out Source Code
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
# Fetch at least the immediate parents so that if this is a pull request then we can checkout the head.
fetch-depth: 2
Expand All @@ -66,8 +66,9 @@ jobs:
# Java version to use depends on the Java version required to run your build (if any),
# and the Java version supported by the ScanCentral Client version that you are running
- name: Setup Java
uses: actions/setup-java@v1
uses: actions/setup-java@v4
with:
distribution: zulu
java-version: 11

### Set up Fortify ScanCentral Client ###
Expand All @@ -93,7 +94,7 @@ jobs:

### Archive ScanCentral Client logs on failure ###
- name: Save ScanCentral Logs
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
if: failure()
with:
name: scancentral-logs
Expand Down
Loading