Skip to content

Commit 0ab6142

Browse files
Pull from main
1 parent 5e877af commit 0ab6142

9 files changed

Lines changed: 42 additions & 28 deletions

File tree

.github/workflows/ast-scan.yml

Lines changed: 11 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,24 @@
11
name: Checkmarx One Scan
2-
3-
on: [ pull_request, workflow_dispatch ]
2+
on:
3+
workflow_dispatch:
4+
pull_request:
5+
push:
6+
branches:
7+
- main
8+
schedule:
9+
- cron: '00 7 * * *' # Every day at 07:00
410

511
jobs:
612
cx-scan:
7-
runs-on: ubuntu-latest
13+
runs-on: cx-public-ubuntu-x64
814
steps:
915
- name: Checkout
10-
uses: actions/checkout@v4
16+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1117
- name: Checkmarx One CLI Action
1218
uses: checkmarx/ast-github-action@6c56658230f79c227a55120e9b24845d574d5225 #main
1319
with:
1420
base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
1521
cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
1622
cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
1723
cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
18-
additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;"
24+
additional_params: --tags sypher --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;"

.github/workflows/auto-merge-pr.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,15 +6,15 @@ permissions:
66

77
jobs:
88
dependabot-merge:
9-
runs-on: ubuntu-latest
9+
runs-on: cx-public-ubuntu-x64
1010
if: contains(github.head_ref, 'feature/update_cli')
1111
steps:
1212
- name: Enable auto-merge for Dependabot PRs
1313
env:
1414
PR_URL: ${{github.event.pull_request.html_url}}
1515
GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
16-
run: gh pr merge --auto --merge "$PR_URL"
16+
run: gh pr merge --auto --squash "$PR_URL"
1717
- name: Auto approve dependabot PRs
18-
uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v4
18+
uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0
1919
with:
20-
github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
20+
github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

.github/workflows/ci.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ name: Checkmarx One visual studio extension CI
22

33
on: [ pull_request, workflow_dispatch ]
44

5-
permissions: write-all
5+
permissions: {}
66

77
jobs:
88
integration-tests:
@@ -11,18 +11,18 @@ jobs:
1111
contents: write
1212
steps:
1313
- name: Fetch Sources
14-
uses: actions/checkout@v4
14+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1515

1616
- name: Setup VSTest
1717
uses: darenm/Setup-VSTest@3a16d909a1f3bbc65b52f8270d475d905e7d3e44 #v1
1818

1919
- name: Add MSBuild to PATH
20-
uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c #v1.3.1
20+
uses: step-security/setup-msbuild@f01243490939309baa8e659042bec579fa10db95 # v2.0.1
2121
with:
2222
vs-version: '17.2'
2323

2424
- name: Install .NET 6.0 Windows Desktop Runtime
25-
uses: actions/setup-dotnet@v4
25+
uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
2626
with:
2727
dotnet-version: '6.0.x'
2828
include-prerelease: false

.github/workflows/dependabot-auto-merge.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,12 @@ permissions:
66

77
jobs:
88
dependabot-merge:
9-
runs-on: ubuntu-latest
9+
runs-on: cx-public-ubuntu-x64
1010
if: ${{ github.actor == 'dependabot[bot]' }}
1111
steps:
1212
- name: Dependabot metadata
1313
id: metadata
14-
uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 #v2.2.0
14+
uses: step-security/dependabot-fetch-metadata@bf8fb6e0be0a711c669dc236de6e7f7374ba626e # v3.1.0
1515
with:
1616
github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}"
1717
- name: Enable auto-merge for Dependabot PRs
@@ -20,6 +20,6 @@ jobs:
2020
GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN }}
2121
run: gh pr merge --auto --merge "$PR_URL"
2222
- name: Auto approve dependabot PRs
23-
uses: hmarr/auto-approve-action@f0939ea97e9205ef24d872e76833fa908a770363 #v3
23+
uses: step-security/auto-approve-action@0c28339628c8e79ab2f6813291e7e6cd584b4d30 # v4.0.0
2424
with:
2525
github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}

.github/workflows/manual-tag.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,17 @@ on:
77
description: 'Next release tag'
88
required: true
99

10+
permissions:
11+
contents: read
12+
1013
jobs:
1114
tag-creation:
12-
runs-on: ubuntu-latest
15+
permissions:
16+
contents: write # for Git to git push
17+
runs-on: cx-public-ubuntu-x64
1318
steps:
1419
- name: Checkout
15-
uses: actions/checkout@v4
20+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1621
with:
1722
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
1823
- name: Tag

.github/workflows/nightly.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
name: Check if dependabot commits exist
1616
outputs:
1717
isDependabot: ${{ steps.check-dependabot.outputs.dependabotExists }}
18-
runs-on: ubuntu-latest
18+
runs-on: cx-public-ubuntu-x64
1919
steps:
2020
- name: Check if dependabot commits exist
2121
id: check-dependabot
@@ -24,7 +24,7 @@ jobs:
2424
run: echo "dependabotExists=$(echo $GITHUB_CONTEXT | jq '.event.commits[0].author | any(. == "dependabot[bot]")')" >> $GITHUB_OUTPUT
2525

2626
delete-tag:
27-
runs-on: ubuntu-latest
27+
runs-on: cx-public-ubuntu-x64
2828
needs: check-dependabot-commits
2929
if: ${{needs.check-dependabot-commits.outputs.isDependabot == 'false'}}
3030
steps:

.github/workflows/pr-label.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
pr-labeler:
1111
permissions:
1212
pull-requests: write # for TimonVS/pr-labeler-action to add labels in PR
13-
runs-on: ubuntu-latest
13+
runs-on: cx-public-ubuntu-x64
1414
steps:
1515
- uses: TimonVS/pr-labeler-action@f9c084306ce8b3f488a8f3ee1ccedc6da131d1af #v5
1616
with:

.github/workflows/release.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -39,12 +39,12 @@ jobs:
3939
CLI_VERSION: ${{ steps.extract_cli_version.outputs.CLI_VERSION }}
4040
steps:
4141
- name: Fetch Sources
42-
uses: actions/checkout@v4
42+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
4343
with:
4444
token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
4545

4646
- name: Add MSBuild to PATH
47-
uses: microsoft/setup-msbuild@1ff57057b5cfdc39105cd07a01d78e9b0ea0c14c #v1.3.1
47+
uses: step-security/setup-msbuild@f01243490939309baa8e659042bec579fa10db95 # v2.0.1
4848
with:
4949
vs-version: '17.2'
5050

@@ -94,7 +94,7 @@ jobs:
9494
run: msbuild .\ast-visual-studio-extension\ast-visual-studio-extension.csproj /p:Configuration=Release /p:DeployExtension=False
9595

9696
- name: Create Release
97-
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 #v0.1.15
97+
uses: step-security/action-gh-release@277bfa82abcfdb73e5bbb19e213fd76532ee2be5 # v3.0.0
9898
with:
9999
tag_name: ${{ inputs.tag }}
100100
prerelease: ${{ inputs.dev }}
@@ -117,7 +117,7 @@ jobs:
117117
# product_name: Visual Studio
118118
# release_version: ${{ inputs.tag }}
119119
# cli_release_version: ${{ needs.release.outputs.CLI_VERSION }}
120-
# release_author: "Phoenix Team"
120+
# release_author: "Sypher Team"
121121
# release_url: https://github.com/Checkmarx/ast-visual-studio-extension/releases/tag/${{ inputs.tag }}
122122
# jira_product_name: VISUAL_STUDIO
123123
# secrets: inherit

.github/workflows/update-cli.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,11 +5,14 @@ on:
55
repository_dispatch:
66
types: [cli-version-update]
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
update-checkmarx-cli:
10-
runs-on: ubuntu-latest
13+
runs-on: cx-public-ubuntu-x64
1114
steps:
12-
- uses: actions/checkout@v4
15+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1316
- name: Get Latest Checkmarx API version
1417
id: checkmarx-ast-cli
1518
run: |
@@ -32,7 +35,7 @@ jobs:
3235
- name: Create Pull Request
3336
id: cretae_pull_request
3437
if: steps.checkmarx-ast-cli.outputs.current_tag != steps.checkmarx-ast-cli.outputs.release_tag
35-
uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c #v5
38+
uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1
3639
with:
3740
token: ${{ secrets.AUTOMATION_TOKEN }}
3841
commit-message: Update checkmarx-ast-cli to ${{ steps.checkmarx-ast-cli.outputs.release_tag }}

0 commit comments

Comments
 (0)