cleanup and publishing

Author: brianLoomis

.github/workflows/archived/sonar-ip-range-restricted.yml

@@ -0,0 +1,15 @@
+
+  # IP-RANGE-CONTROLLED no longer works... probably needs IP range refresh, cannot get throughto api.sonar
+  # SonarQube:
+  #   runs-on: ip-range-controlled
+  #   steps:
+  #   - uses: actions/checkout@v4
+  #     with:
+  #       fetch-depth: 0
+    
+  #   - name: SonarQube Scan
+  #     uses: sonarsource/sonarqube-scan-action@v5.1.0
+  #     continue-on-error: true
+  #     env:
+  #       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  #       SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

.github/workflows/ci-main-pull-request.yml

@@ -475,13 +475,14 @@ jobs:
   # #
   # ################################################################################################################
 
+  # TODO: comment this out until we check with security on org secrets usage in public repos
   Sonar-SAST-public:
     name: 'PUBLIC Sonar SAST scan'
     needs: ci-build
     if: ${{ inputs.perform-sonarqube-sca-scan == true && success() && inputs.visibility == 'public'}}
     uses: chef/common-github-actions/.github/workflows/sonarqube-public-repo.yml@main
     secrets: inherit
-    permissions: # Must change the job token permissions to use JWT auth
+    permissions:
       id-token: write
       contents: read
     with:
@@ -507,6 +508,9 @@ jobs:
     needs: ci-build
     uses: chef/common-github-actions/.github/workflows/sonarqube-private-repo.yml@main
     secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
     with:
       perform-build: ${{ inputs.perform-sonar-build }}
       build-profile: ${{ inputs.build-profile }}
@@ -530,6 +534,9 @@ jobs:
     needs: ci-build
     uses: chef/common-github-actions/.github/workflows/sonarqube-internal-repo.yml@main
     secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
     with:
       perform-build: ${{ inputs.perform-sonar-build }}
       build-profile: ${{ inputs.build-profile }}

.github/workflows/sonarqube-internal-repo.yml

@@ -78,6 +78,9 @@ jobs:
       
   SonarQube:
     runs-on: ubuntu-latest-4-cores
+    permissions: 
+      id-token: write
+      contents: read
     steps:
     - name: checkout
       if: ${{ inputs.perform-build == true && inputs.visibility == 'internal' }}

.github/workflows/sonarqube-private-repo.yml

@@ -75,6 +75,9 @@ jobs:
       
   SonarQube:
     runs-on: ubuntu-latest-4-cores
+    permissions: 
+      id-token: write
+      contents: read
     steps:
     - name: Checkout
       if: ${{ inputs.visibility == 'private' }}

.github/workflows/sonarqube-public-repo.yml

@@ -78,7 +78,7 @@ jobs:
 
   SonarQube:
     runs-on: ubuntu-latest
-    permissions: # Must change the job token permissions to use JWT auth
+    permissions: 
       id-token: write
       contents: read
 
@@ -88,17 +88,15 @@ jobs:
       with:
         fetch-depth: 0
 
-# from Confluence, with @latest version of the action
+    # from Confluence, with @latest version of the action
     # - name: Prepare Secrets and Login into Azure
     #   id: get-aad-secret
     #   uses: 'prgs-community/githubactions-reusableworkflow-sonarqube/.github/actions/azure-login@latest'
     #   with:
     #     akeyless-access-id: '${{ secrets.AKEYLESS_JWT_ID }}'
 
-    # Use @{ver} to select the version of the action. "latest" tag is also available for latest version.
     - name: Prepare Secrets and Login into Azure
       id: get-aad-secret
-# uses: 'prgs-community/githubactions-reusableworkflow-sonarqube/.github/actions/azure-login@0.8'
       uses: 'chef/common-github-actions/.github/actions/azure-login@main'
       with:
         akeyless-access-id: '${{ secrets.AKEYLESS_JWT_ID }}'
@@ -117,7 +115,6 @@ jobs:
     - name: SonarQube Scan
       if: ${{ inputs.visibility == 'public' }}
       uses: sonarsource/sonarqube-scan-action@v5.1.0
-      # Confluence uses old version: SonarSource/sonarqube-scan-action@v2.0.1
       continue-on-error: true
       env:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
@@ -135,7 +132,6 @@ jobs:
       run: |
           az logout
 
-
 #TODO: Test adding Irfan's quality reporting stage inline here after sonar run (https://github.com/Progress-I360/github-action-reporting)
 # PRODUCT_NAME = [Chef360 | Courier | Inspec] @main removed
     # - name: Run SonarQube report generation
@@ -156,19 +152,4 @@ jobs:
     #     PRODUCT_NAME: ${{ inputs.quality-product-name }}
     #     TESTING_TYPE: ${{ inputs.quality-testing-type }}
     #     SERVICE_NAME: ${{ inputs.quality-service-name }}
-    #     JUNIT_REPORT: ${{ inputs.quality-junit-report }}
-
-  # IP-RANGE-CONTROLLED no longer works... probably needs IP range refresh, cannot get throughto api.sonar
-  # SonarQube:
-  #   runs-on: ip-range-controlled
-  #   steps:
-  #   - uses: actions/checkout@v4
-  #     with:
-  #       fetch-depth: 0
-    
-  #   - name: SonarQube Scan
-  #     uses: sonarsource/sonarqube-scan-action@v5.1.0
-  #     continue-on-error: true
-  #     env:
-  #       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-  #       SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+    #     JUNIT_REPORT: ${{ inputs.quality-junit-report }}

.github/workflows/stubs/ci-main-pull-request-stub-trufflehog-only.yml

@@ -13,6 +13,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 env:
   STUB_VERSION: "1.0.0" 
 
@@ -28,6 +31,10 @@ jobs:
   call-ci-main-pr-check-pipeline:
     uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
     secrets: inherit
+    permissions: 
+      id-token: write
+      contents: read
+    
     with:   
       visibility: ${{ github.event.repository.visibility }} 
 

.github/workflows/stubs/ci-main-pull-request-stub.yml

@@ -13,6 +13,9 @@ on:
 
   workflow_dispatch:
 
+permissions:
+  contents: read
+  
 env:
   STUB_VERSION: "1.0.0" 
 
@@ -28,6 +31,10 @@ jobs:
   call-ci-main-pr-check-pipeline:
     uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main
     secrets: inherit
+    permissions: 
+      id-token: write
+      contents: read
+    
     with:   
       visibility: ${{ github.event.repository.visibility }}