diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..3445efd --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,15 @@ +## Fixes + +- + +## Changes + +- + +## Checklist + +- [ ] ๐Ÿค– This change is covered by unit tests (if applicable). +- [ ] ๐Ÿคน Manual testing has been performed (if necessary). +- [ ] ๐Ÿ›ก๏ธ Security impacts have been considered (if relevant). +- [ ] ๐Ÿ“– Documentation updates are complete (if required). +- [ ] ๐Ÿง  Third-party dependencies and TPIP updated (if required). diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b570da6 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,22 @@ +version: 2 + +registries: + npm-github: + type: npm-registry + url: https://npm.pkg.github.com + token: ${{secrets.GH_PACKAGES_TOKEN}} + +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + + # Maintain dependencies for the JavaScript package + - package-ecosystem: "npm" + directory: "/" + registries: + - npm-github + schedule: + interval: "weekly" diff --git a/.github/workflows/bridge.yml b/.github/workflows/bridge.yml index 11ab656..a86d0f0 100644 --- a/.github/workflows/bridge.yml +++ b/.github/workflows/bridge.yml @@ -17,6 +17,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: tests: if: | @@ -26,13 +29,18 @@ jobs: name: 'Test bridge' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout csolution-rpc repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 'lts/*' diff --git a/.github/workflows/codegen.yml b/.github/workflows/codegen.yml index 690d771..bf09e63 100644 --- a/.github/workflows/codegen.yml +++ b/.github/workflows/codegen.yml @@ -21,6 +21,9 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true +permissions: + contents: read + jobs: tests: if: | @@ -30,13 +33,18 @@ jobs: name: 'Test codegen' steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Checkout csolution-rpc repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 0 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 'lts/*' @@ -59,7 +67,7 @@ jobs: path: codegen/reports/junit/testreport.xml retention-days: 1 if-no-files-found: error - + - name: Archive generated interface files uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -77,6 +85,11 @@ jobs: contents: write steps: + - name: Harden the runner (Audit all outbound calls) + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + - name: Download generated files uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..e3d50c0 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,51 @@ +name: "CodeQL" + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + paths: + - '.github/workflows/codeql.yml' + - 'api/**' + - 'bridge/**' + - 'codegen/**' + - '!**/*.md' + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + checks: write + security-events: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + with: + languages: TypeScript + queries: security-extended + + - name: Autobuild + uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 diff --git a/api/csolution-openapi.yml b/api/csolution-openapi.yml index 4e5e97c..7fe2628 100644 --- a/api/csolution-openapi.yml +++ b/api/csolution-openapi.yml @@ -2,7 +2,7 @@ openapi: 3.1.0 info: title: csolution rpc version: 0.0.1 - description: Specification of remote procedure call methods for CMSIS csolution integration + description: Specification of remote procedure call methods for CMSIS csolution integration license: name: Apache 2.0 url: http://www.apache.org/licenses/LICENSE-2.0.html diff --git a/bridge/.vscode/launch.json b/bridge/.vscode/launch.json index 59d423f..0135bd5 100644 --- a/bridge/.vscode/launch.json +++ b/bridge/.vscode/launch.json @@ -19,4 +19,4 @@ ] } ] -} \ No newline at end of file +} diff --git a/bridge/README.md b/bridge/README.md index bf24f25..539ebaa 100644 --- a/bridge/README.md +++ b/bridge/README.md @@ -21,4 +21,3 @@ npm run lint node dist/server.js ``` By default it listens on http://localhost:3000 - diff --git a/codegen/.vscode/launch.json b/codegen/.vscode/launch.json index 091d2e4..98a2676 100644 --- a/codegen/.vscode/launch.json +++ b/codegen/.vscode/launch.json @@ -39,4 +39,4 @@ } } ] -} \ No newline at end of file +} diff --git a/codegen/README.md b/codegen/README.md index 0b79397..fae910c 100644 --- a/codegen/README.md +++ b/codegen/README.md @@ -40,4 +40,4 @@ Options: -c, --client Generate TypeScript client interface (default: "./rpc-interface.ts") -s, --server Generate C++ server interface (default: "./RpcInterface.h") -h, --help display help for command - ``` \ No newline at end of file + ``` diff --git a/codegen/src/codegen.test.ts b/codegen/src/codegen.test.ts index 84b6afd..6993925 100644 --- a/codegen/src/codegen.test.ts +++ b/codegen/src/codegen.test.ts @@ -3,7 +3,7 @@ import {Codegen} from './codegen.js'; import fs from 'fs'; describe('codegen', () => { - let codegen: Codegen; + let codegen: Codegen; beforeEach(() => { codegen = new Codegen(); diff --git a/codegen/src/codegen.ts b/codegen/src/codegen.ts index 9c7b2f4..c1b3ab6 100644 --- a/codegen/src/codegen.ts +++ b/codegen/src/codegen.ts @@ -232,7 +232,7 @@ using namespace jsonrpccxx;\n`; this.collectStructs(parent, item); } else if (item.$ref) { const ref = item.$ref.match(/^#\/components\/schemas\/(.*)/); - this.structs[parent] ??= { description: obj.description }; + this.structs[parent] ??= { description: obj.description }; (this.structs[parent].extends ??= []).push(ref ? ref[1] : ''); } } diff --git a/csolution-rpc.code-workspace b/csolution-rpc.code-workspace index 6cefda9..5b980ac 100644 --- a/csolution-rpc.code-workspace +++ b/csolution-rpc.code-workspace @@ -11,4 +11,4 @@ } ], "settings": {} -} \ No newline at end of file +}