From 8e1c2c36c2fdc9fc63d7bb501db9876a1a79d56e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Oct 2025 19:49:09 +0000 Subject: [PATCH 1/2] Bump github/codeql-action from 4.30.9 to 4.31.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.30.9 to 4.31.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/16140ae1a102900babc80a33c44059580f687047...4e94bd11f71e507f7f87df81788dff88d1dacbfb) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.31.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/scorecard.yml | 2 +- .github/workflows/security.yml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index b967e69..6c7d6a0 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -71,7 +71,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/init@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -99,6 +99,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/analyze@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 3cb0b3e..436fa65 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -76,6 +76,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: sarif_file: results.sarif diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index ea5045a..35f95fa 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -38,7 +38,7 @@ jobs: severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: sarif_file: 'trivy-results.sarif' @@ -64,7 +64,7 @@ jobs: args: --output.sarif.path=golangci-lint-results.sarif - name: Upload golangci-lint results to GitHub Security tab - uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: sarif_file: golangci-lint-results.sarif @@ -108,6 +108,6 @@ jobs: - name: Upload govulncheck results to GitHub Security tab if: ${{ steps.PrintSarif.outputs.hasResults == 'true' }} - uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4.30.9 + uses: github/codeql-action/upload-sarif@4e94bd11f71e507f7f87df81788dff88d1dacbfb # v4.31.0 with: sarif_file: govulncheck-results.sarif From 16d777839bb1fbddf37c6755b39cda4838bd6b87 Mon Sep 17 00:00:00 2001 From: Alexander Adam Date: Sat, 1 Nov 2025 11:23:57 +0100 Subject: [PATCH 2/2] Refactored GitHub workflows for consistent formatting - Converted inline arrays to multi-line lists for `branches` and `types`. - Indented steps and blocks consistently across workflows. - Applied formatting changes to improve readability and maintainability of workflow files. Signed-off-by: Alexander Adam --- .github/workflows/codeql.yml | 6 +- .github/workflows/compliance.yml | 174 ++++++++++++------------ .github/workflows/dependency-review.yml | 3 +- .github/workflows/release.yml | 142 +++++++++---------- .github/workflows/scorecard.yml | 3 +- 5 files changed, 166 insertions(+), 162 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6c7d6a0..fcbc89a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -16,9 +16,11 @@ name: "CodeQL" on: push: - branches: [ "master" ] + branches: + - master pull_request: - branches: [ "master" ] + branches: + - master schedule: - cron: '28 4 * * 2' diff --git a/.github/workflows/compliance.yml b/.github/workflows/compliance.yml index 8b58d8d..1d56c53 100644 --- a/.github/workflows/compliance.yml +++ b/.github/workflows/compliance.yml @@ -4,11 +4,11 @@ name: Compliance Checks on: - push: - branches: + push: + branches: - master - pull_request: - branches: + pull_request: + branches: - master concurrency: @@ -37,82 +37,82 @@ jobs: CheckSignedOffCommit: if: > - github.event_name == 'push' && - !contains(github.actor, '[bot]') && - !contains(github.event.pusher.name, '[bot]') && - github.event.pusher.name != 'web-flow' + github.event_name == 'push' && + !contains(github.actor, '[bot]') && + !contains(github.event.pusher.name, '[bot]') && + github.event.pusher.name != 'web-flow' runs-on: ubuntu-latest permissions: contents: read steps: - - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 - with: - egress-policy: audit - - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - fetch-depth: 0 - - - name: Determine pushed commits - id: range - run: | - set -euo pipefail - - # Use GitHub-provided SHAs to build the range for this push - BEFORE="${{ github.event.before }}" - AFTER="${{ github.sha }}" - - if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] - then - # New branch or force push without previous SHA - git rev-list --no-merges "$AFTER" > shas.txt - else - git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt - fi - - - name: Check for Signed-off-by - run: | - set -euo pipefail - missing="" - - while read -r sha - do - [ -n "$sha" ] || continue - - # Skip commits from bots - committer_name=`git log --format=%cn -n 1 "$sha"` - committer_email=`git log --format=%ce -n 1 "$sha"` - if echo "$committer_name" | grep -Fq '[bot]' \ - || [ "$committer_name" = "web-flow" ] \ - || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' - then - echo "Skipping commit $sha from $committer_name <$committer_email>" - continue - fi - - msg=`git log --format=%B -n 1 "$sha"` - - if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' - then - echo "Commit $sha missing Signed-off-by" - missing="true" - - echo "Committer name: $committer_name" - echo "Committer email: $committer_email" - echo "github.actor: ${{ github.actor }}" - echo "github.event.pusher.name: ${{ github.event.pusher.name }}" - fi - done < shas.txt - - if [ "$missing" = "true" ] - then - echo "DCO check failed on push" - exit 1 - fi - - echo "All pushed commits are signed" + - name: Harden Runner + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Determine pushed commits + id: range + run: | + set -euo pipefail + + # Use GitHub-provided SHAs to build the range for this push + BEFORE="${{ github.event.before }}" + AFTER="${{ github.sha }}" + + if [ "$BEFORE" = "0000000000000000000000000000000000000000" ] + then + # New branch or force push without previous SHA + git rev-list --no-merges "$AFTER" > shas.txt + else + git rev-list --no-merges "$BEFORE".."$AFTER" > shas.txt + fi + + - name: Check for Signed-off-by + run: | + set -euo pipefail + missing="" + + while read -r sha + do + [ -n "$sha" ] || continue + + # Skip commits from bots + committer_name=`git log --format=%cn -n 1 "$sha"` + committer_email=`git log --format=%ce -n 1 "$sha"` + if echo "$committer_name" | grep -Fq '[bot]' \ + || [ "$committer_name" = "web-flow" ] \ + || echo "$committer_email" | grep -Eqi 'noreply@github\.com$|@users\.noreply\.github\.com$' + then + echo "Skipping commit $sha from $committer_name <$committer_email>" + continue + fi + + msg=`git log --format=%B -n 1 "$sha"` + + if ! printf '%s' "$msg" | grep -Eqi '^[[:space:]]*Signed[- ]off[- ]by:' + then + echo "Commit $sha missing Signed-off-by" + missing="true" + + echo "Committer name: $committer_name" + echo "Committer email: $committer_email" + echo "github.actor: ${{ github.actor }}" + echo "github.event.pusher.name: ${{ github.event.pusher.name }}" + fi + done < shas.txt + + if [ "$missing" = "true" ] + then + echo "DCO check failed on push" + exit 1 + fi + + echo "All pushed commits are signed" CheckSignedOffPullRequest: if: github.event_name == 'pull_request' && !contains(github.event.pull_request.labels.*.name, 'bypass-dco') @@ -124,25 +124,25 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 with: - egress-policy: audit + egress-policy: audit - name: Checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: - fetch-depth: 0 + fetch-depth: 0 - name: Get PR commits env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - set -euo pipefail - gh --version - jq --version - - # Fetch all commits of the PR with pagination and extract SHAs - gh api -H "Accept: application/vnd.github+json" --paginate \ - repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ - | jq -r '.[].sha' > shas.txt + set -euo pipefail + gh --version + jq --version + + # Fetch all commits of the PR with pagination and extract SHAs + gh api -H "Accept: application/vnd.github+json" --paginate \ + repos/${{ github.repository }}/pulls/${{ github.event.pull_request.number }}/commits \ + | jq -r '.[].sha' > shas.txt - name: Check for Signed-off-by run: | diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index f411468..d1a130d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -10,7 +10,8 @@ # # Source repository: https://github.com/actions/dependency-review-action name: 'Dependency Review' -on: [pull_request] +on: + - pull_request permissions: contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f70da6f..80d7815 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,7 +6,7 @@ name: Release on: release: types: - - published + - published permissions: read-all @@ -20,36 +20,36 @@ jobs: contents: write runs-on: ubuntu-latest steps: - - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 - with: - egress-policy: audit - - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - fetch-depth: 0 - ref: ${{ github.event.release.tag_name }} - - - name: Generate source archive - shell: bash - run: | - set -euo pipefail - - TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'` - git archive \ - --format=tar.gz \ - --prefix="dmorph-src-${TAG}/" \ - --output="dmorph-src-${TAG}.tar.gz" \ - "${{ github.event.release.tag_name }}" - - - name: Upload Release (via GitHub CLI) - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - shell: bash - run: | - set -euo pipefail - gh release upload "${{ github.event.release.tag_name }}" dmorph-src-*.tar.gz --clobber + - name: Harden Runner + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + ref: ${{ github.event.release.tag_name }} + + - name: Generate source archive + shell: bash + run: | + set -euo pipefail + + TAG=`echo "${{ github.event.release.tag_name }}" | sed 's/\//-/g'` + git archive \ + --format=tar.gz \ + --prefix="dmorph-src-${TAG}/" \ + --output="dmorph-src-${TAG}.tar.gz" \ + "${{ github.event.release.tag_name }}" + + - name: Upload Release (via GitHub CLI) + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + shell: bash + run: | + set -euo pipefail + gh release upload "${{ github.event.release.tag_name }}" dmorph-src-*.tar.gz --clobber ChecksumReleaseAssets: needs: Build @@ -58,46 +58,46 @@ jobs: outputs: hashBase64File: ${{ steps.hashes.outputs.handle }} steps: - - name: Harden Runner - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 - with: - egress-policy: audit - - - name: Checkout - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - with: - fetch-depth: 1 - - - name: Download all release assets via GitHub CLI - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - set -euo pipefail - - mkdir -p release-assets - cd release-assets - # gets all assets of the release - gh release download "${{ github.event.release.tag_name }}" --clobber - echo "Downloaded assets:" - ls -lah - - - name: Generate Checksums - working-directory: release-assets - run: | - set -euo pipefail - - # Robustly hash all regular files in this directory, then base64 and write via tee. - LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \ - | sort -z \ - | xargs -0 sha256sum -- \ - | base64 -w0 \ - > check.sha256 - - - name: Upload Checksums - id: hashes - uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0 - with: - path: release-assets/check.sha256 + - name: Harden Runner + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 1 + + - name: Download all release assets via GitHub CLI + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -euo pipefail + + mkdir -p release-assets + cd release-assets + # gets all assets of the release + gh release download "${{ github.event.release.tag_name }}" --clobber + echo "Downloaded assets:" + ls -lah + + - name: Generate Checksums + working-directory: release-assets + run: | + set -euo pipefail + + # Robustly hash all regular files in this directory, then base64 and write via tee. + LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \ + | sort -z \ + | xargs -0 sha256sum -- \ + | base64 -w0 \ + > check.sha256 + + - name: Upload Checksums + id: hashes + uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0 + with: + path: release-assets/check.sha256 AssetProvenance: permissions: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 436fa65..b339f6f 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,7 +15,8 @@ on: schedule: - cron: '36 3 * * 2' push: - branches: [ "master" ] + branches: + - master # Declare default permissions as read-only. permissions: read-all