Skip to content

Commit 28da9b5

Browse files
authored
Release (#28)
1 parent 2a9996d commit 28da9b5

177 files changed

Lines changed: 12929 additions & 346 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/dependabot.yml

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
# To get started with Dependabot version updates, you'll need to specify which
2+
# package ecosystems to update and where the package manifests are located.
3+
# Please see the documentation for all configuration options:
4+
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
5+
6+
version: 2
7+
updates:
8+
- package-ecosystem: "nuget"
9+
target-branch: "develop"
10+
directory: "/source"
11+
groups:
12+
major-minor-patch:
13+
applies-to: version-updates
14+
update-types:
15+
- "major"
16+
- "minor"
17+
- "patch"
18+
schedule:
19+
interval: "weekly"
20+
cooldown:
21+
default-days: 3
22+
23+
- package-ecosystem: "docker"
24+
target-branch: "develop"
25+
directory: "/source/AAS.TwinEngine.Plugin.RelationalDatabase"
26+
groups:
27+
major-minor-patch:
28+
applies-to: version-updates
29+
update-types:
30+
- "major"
31+
- "minor"
32+
- "patch"
33+
schedule:
34+
interval: "daily"
35+
36+
- package-ecosystem: "github-actions"
37+
target-branch: "develop"
38+
directory: "/"
39+
groups:
40+
major-minor-patch:
41+
applies-to: version-updates
42+
update-types:
43+
- "major"
44+
- "minor"
45+
- "patch"
46+
schedule:
47+
interval: "weekly"
48+
cooldown:
49+
default-days: 3

.github/workflows/codeql.yml

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
name: "CodeQL Advanced"
2+
3+
on:
4+
push:
5+
branches:
6+
- 'main'
7+
- 'develop'
8+
- 'release/**'
9+
- 'hotfix/**'
10+
pull_request:
11+
branches:
12+
- 'main'
13+
- 'develop'
14+
- 'release/**'
15+
- 'hotfix/**'
16+
schedule:
17+
- cron: '30 19 * * 0'
18+
19+
permissions: read-all
20+
21+
jobs:
22+
analyze:
23+
name: Analyze (${{ matrix.language }})
24+
# Runner size impacts CodeQL analysis time. To learn more, please see:
25+
# - https://gh.io/recommended-hardware-resources-for-running-codeql
26+
# - https://gh.io/supported-runners-and-hardware-resources
27+
# - https://gh.io/using-larger-runners (GitHub.com only)
28+
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
29+
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
30+
permissions:
31+
# required for all workflows
32+
security-events: write
33+
34+
# required to fetch internal or private CodeQL packs
35+
packages: read
36+
37+
# only required for workflows in private repositories
38+
actions: read
39+
contents: read
40+
41+
strategy:
42+
fail-fast: false
43+
matrix:
44+
include:
45+
- language: actions
46+
build-mode: none
47+
- language: csharp
48+
build-mode: none
49+
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
50+
# Use `c-cpp` to analyze code written in C, C++ or both
51+
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
52+
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
53+
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
54+
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
55+
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
56+
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
57+
steps:
58+
- name: Checkout repository
59+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
60+
61+
# Add any setup steps before running the `github/codeql-action/init` action.
62+
# This includes steps like installing compilers or runtimes (`actions/setup-node`
63+
# or others). This is typically only required for manual builds.
64+
# - name: Setup runtime (example)
65+
# uses: actions/setup-example@v1
66+
67+
# Initializes the CodeQL tools for scanning.
68+
- name: Initialize CodeQL
69+
uses: github/codeql-action/init@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
70+
with:
71+
languages: ${{ matrix.language }}
72+
build-mode: ${{ matrix.build-mode }}
73+
# If you wish to specify custom queries, you can do so here or in a config file.
74+
# By default, queries listed here will override any specified in a config file.
75+
# Prefix the list here with "+" to use these queries and those in the config file.
76+
77+
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
78+
# queries: security-extended,security-and-quality
79+
80+
# If the analyze step fails for one of the languages you are analyzing with
81+
# "We were unable to automatically build your code", modify the matrix above
82+
# to set the build mode to "manual" for that language. Then modify this step
83+
# to build your code.
84+
# ℹ️ Command-line programs to run using the OS shell.
85+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
86+
- name: Run manual build steps
87+
if: matrix.build-mode == 'manual'
88+
shell: bash
89+
run: |
90+
echo 'If you are using a "manual" build mode for one or more of the' \
91+
'languages you are analyzing, replace this with the commands to build' \
92+
'your code, for example:'
93+
echo ' make bootstrap'
94+
echo ' make release'
95+
exit 1
96+
97+
- name: Perform CodeQL Analysis
98+
uses: github/codeql-action/analyze@1b168cd39490f61582a9beae412bb7057a6b2c4e # v4.31.8
99+
with:
100+
category: "/language:${{matrix.language}}"
Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
# Dependency Review Action
2+
#
3+
# This Action will scan dependency manifest files that change as part of a Pull Request,
4+
# surfacing known-vulnerable versions of the packages declared or updated in the PR.
5+
# Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable
6+
# packages will be blocked from merging.
7+
#
8+
# Source repository: https://github.com/actions/dependency-review-action
9+
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
10+
name: 'Dependency review'
11+
on:
12+
pull_request:
13+
branches:
14+
- 'main'
15+
- 'develop'
16+
- 'release/**'
17+
- 'hotfix/**'
18+
19+
# If using a dependency submission action in this workflow this permission will need to be set to:
20+
#
21+
# permissions:
22+
# contents: write
23+
#
24+
# https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
25+
permissions:
26+
contents: read
27+
# Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
28+
pull-requests: write
29+
30+
jobs:
31+
dependency-review:
32+
runs-on: ubuntu-latest
33+
steps:
34+
- name: 'Checkout repository'
35+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
36+
- name: 'Dependency Review'
37+
uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
38+
# Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
39+
with:
40+
retry-on-snapshot-warnings: true
41+
retry-on-snapshot-warnings-timeout: 60
42+
warn-on-openssf-scorecard-level: 5
43+
comment-summary-in-pr: always
44+
allow-dependencies-licenses: |
45+
pkg:nuget/AasCore.Aas3_0,
46+
pkg:nuget/AasCore.Aas3.Package
47+
allow-licenses: |
48+
Apache-1.0,
49+
Apache-1.1,
50+
Apache-2.0,
51+
BSL-1.0,
52+
BSD-1-Clause,
53+
BSD-2-Clause,
54+
BSD-2-Clause-FreeBSD,
55+
BSD-2-Clause-NetBSD,
56+
BSD-3-Clause,
57+
BSD-3-Clause-Clear,
58+
BSD-3-Clause-No-Nuclear-License,
59+
BSD-3-Clause-No-Nuclear-License-2014,
60+
BSD-3-Clause-No-Nuclear-Warranty,
61+
BSD-3-Clause-Open-MPI,
62+
BSD-4-Clause,
63+
BSD-Protection,
64+
BSD-Source-Code,
65+
BSD-3-Clause-Attribution,
66+
0BSD,
67+
BSD-2-Clause-Patent,
68+
BSD-4-Clause-UC,
69+
MIT-CMU,
70+
CC-BY-3.0,
71+
CC-BY-SA-1.0,
72+
CC-BY-SA-2.0,
73+
CC-BY-SA-2.5,
74+
CC-BY-SA-3.0,
75+
CC-BY-SA-4.0,
76+
CC0-1.0,
77+
WTFPL,
78+
MIT-enna,
79+
MIT-feh,
80+
ISC,
81+
JSON,
82+
BSD-3-Clause-LBNL,
83+
MITNFA,
84+
MIT,
85+
MIT-0,
86+
UPL-1.0,
87+
NCSA,
88+
X11,
89+
Xerox,
90+
BlueOak-1.0.0,
91+
CC-BY-4.0,
92+
MS-PL,
93+
PostgreSQL,
94+
Python-2.0,
95+
SSPL-1.0,
96+
OFL-1.1,
97+
Unlicense,
98+
Unicode-DFS-2016,
99+
Unicode-3.0
Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
name: Docker
2+
3+
# This workflow uses actions that are not certified by GitHub.
4+
# They are provided by a third-party and are governed by
5+
# separate terms of service, privacy policy, and support
6+
# documentation.
7+
8+
on:
9+
workflow_dispatch:
10+
push:
11+
branches:
12+
- 'develop'
13+
- 'release/**'
14+
- 'hotfix/**'
15+
# Publish semver tags as releases.
16+
tags: [ 'v**' ]
17+
pull_request:
18+
branches:
19+
- 'main'
20+
- 'develop'
21+
- 'release/**'
22+
- 'hotfix/**'
23+
24+
permissions:
25+
contents: read
26+
27+
env:
28+
# Use docker.io for Docker Hub if empty
29+
REGISTRY: ghcr.io
30+
IMAGE_NAME: ${{ github.repository_owner }}/plugindpp
31+
DOCKERFILE_PATH: source/AAS.TwinEngine.Plugin.RelationalDatabase/Dockerfile
32+
BUILD_CONTEXT: source
33+
34+
35+
jobs:
36+
build:
37+
38+
runs-on: ubuntu-latest
39+
permissions:
40+
contents: read
41+
packages: write
42+
43+
steps:
44+
- name: Checkout repository
45+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
46+
47+
# Set up BuildKit Docker container builder to be able to build
48+
# multi-platform images and export cache
49+
# https://github.com/docker/setup-buildx-action
50+
- name: Set up Docker Buildx
51+
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
52+
53+
# Login against a Docker registry except on PR
54+
# https://github.com/docker/login-action
55+
- name: Log into registry ${{ env.REGISTRY }}
56+
if: github.event_name != 'pull_request'
57+
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
58+
with:
59+
registry: ${{ env.REGISTRY }}
60+
username: ${{ github.actor }}
61+
password: ${{ secrets.GITHUB_TOKEN }}
62+
63+
# Extract metadata (tags, labels) for Docker
64+
# https://github.com/docker/metadata-action
65+
- name: Extract Docker metadata
66+
id: meta
67+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
68+
with:
69+
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
70+
flavor: |
71+
latest=false
72+
tags: |
73+
type=semver,pattern={{raw}}
74+
type=raw,value=develop-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/develop')}}
75+
type=raw,value=rc-{{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/release/')}}
76+
type=raw,value={{branch}}-{{sha}},enable=${{startsWith(github.ref, 'refs/heads/hotfix/')}}
77+
type=ref,event=pr
78+
type=raw,value=manual-{{branch}}-{{sha}},enable=${{github.event_name == 'workflow_dispatch'}}
79+
80+
# Build and push Docker image with Buildx (don't push on PR)
81+
# https://github.com/docker/build-push-action
82+
- name: Build and push Docker image
83+
id: build-and-push
84+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
85+
with:
86+
sbom: true
87+
provenance: mode=max
88+
context: ${{ env.BUILD_CONTEXT }}
89+
file: ${{ env.DOCKERFILE_PATH }}
90+
push: ${{ github.event_name != 'pull_request' }}
91+
tags: ${{ steps.meta.outputs.tags }}
92+
labels: ${{ steps.meta.outputs.labels }}
93+
cache-from: type=gha
94+
cache-to: type=gha,mode=max
95+
96+
# Extract the pure application SBOM from the artifact stage, we want to handle it separately from the container SBOM
97+
# This automaticaly re-uses the previously generated stage from cache, so we get the exact sbom from previous build step
98+
- name: Export Application SBOM from artifact stage
99+
if: ${{ github.event_name != 'pull_request' }}
100+
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
101+
with:
102+
context: ${{ env.BUILD_CONTEXT }}
103+
file: ${{ env.DOCKERFILE_PATH }}
104+
target: app-sbom-artifact
105+
push: false
106+
outputs: type=local,dest=sbom-output
107+
108+
# Generate container SBOM.
109+
- name: Run Trivy in GitHub SBOM mode to generate CycloneDX SBOM for container
110+
if: ${{ github.event_name != 'pull_request' }}
111+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
112+
with:
113+
scan-type: 'image'
114+
format: 'cyclonedx'
115+
output: 'sbom-output/sbom_container.cyclonedx.json'
116+
image-ref: ${{ steps.meta.outputs.tags }}
117+
skip-dirs: '/App' # Skip the /app directory as we handle the content of the application in a seperate SBOM for easier vulnerability management and because trivy misses important fields
118+
119+
- name: Upload trivy/container AND application SBOMs as a Github artifact
120+
if: ${{ github.event_name != 'pull_request' }}
121+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
122+
with:
123+
name: sbom
124+
path: '${{ github.workspace }}/sbom-output/'

0 commit comments

Comments
 (0)