diff --git a/.github/codeql.yml b/.github/codeql.yml index 79584b9d..8e9947f9 100644 --- a/.github/codeql.yml +++ b/.github/codeql.yml @@ -6,5 +6,7 @@ paths: - src/ui - src/common paths-ignore: - - src/ui/static + - src/ui/static/tsparticles.bundle.min.js + - src/ui/static/js/utils/flatpickr.js + - src/ui/static/js/editor - src/common/core/modsecurity/files diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..a597aa37 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,31 @@ +name: CodeQL Analysis + +on: + schedule: + # Weekly on Saturdays. + - cron: "30 1 * * 6" + workflow_call: + +jobs: + code-security: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + strategy: + fail-fast: false + matrix: + language: ["python", "javascript"] + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql.yml + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index 001bcc04..4d426141 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -63,45 +63,28 @@ jobs: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - # Python code security - code-security: - runs-on: ubuntu-latest + codeql: + uses: ./.github/workflows/codeql.yml permissions: actions: read contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: ["python"] - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - config-file: ./.github/codeql.yml - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" # UI tests tests-ui: - needs: [code-security, build-containers] + needs: [codeql, build-containers] uses: ./.github/workflows/tests-ui.yml with: RELEASE: dev tests-ui-linux: - needs: [code-security, build-packages] + needs: [codeql, build-packages] uses: ./.github/workflows/tests-ui-linux.yml with: RELEASE: dev # Core tests prepare-tests-core: - needs: [code-security, build-containers, build-packages] + needs: [codeql, build-containers, build-packages] runs-on: ubuntu-latest steps: - name: Checkout repository diff --git a/.github/workflows/linux-build.yml b/.github/workflows/linux-build.yml index 5352af62..e9249946 100644 --- a/.github/workflows/linux-build.yml +++ b/.github/workflows/linux-build.yml @@ -39,7 +39,7 @@ jobs: - name: Checkout source code uses: actions/checkout@v4 - name: Replace VERSION - if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' + if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' run: ./misc/update-version.sh ${{ inputs.RELEASE }} - name: Extract arch run: | @@ -91,7 +91,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} # Build testing package image - name: Build package image - if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' + if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' uses: docker/build-push-action@v5 with: context: . diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bdf5b180..0df26a31 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,16 @@ on: branches: [master] jobs: + scorecards-analysis: + uses: ./.github/workflows/scorecards-analysis.yml + + codeql: + uses: ./.github/workflows/codeql.yml + permissions: + actions: read + contents: read + security-events: write + # Build amd64 + 386 containers images build-containers: strategy: @@ -123,7 +133,7 @@ jobs: # Wait for all builds and extract VERSION wait-builds: runs-on: ubuntu-latest - needs: [build-containers, build-containers-arm, build-packages] + needs: [codeql, build-containers, build-containers-arm, build-packages] outputs: version: ${{ steps.getversion.outputs.version }} versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }} diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml new file mode 100644 index 00000000..df2ee1a2 --- /dev/null +++ b/.github/workflows/scorecards-analysis.yml @@ -0,0 +1,30 @@ +name: Scorecard analysis workflow + +on: + branch_protection_rule: + schedule: + # Weekly on Saturdays. + - cron: "30 1 * * 6" + workflow_call: + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + steps: + - name: "Checkout code" + uses: actions/checkout@v4 + with: + persist-credentials: false + - name: "Run analysis" + uses: ossf/scorecard-action@v2.2.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - name: "Upload SARIF results to code scanning" + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml index a568bda7..7e1762e1 100644 --- a/.github/workflows/staging.yml +++ b/.github/workflows/staging.yml @@ -64,33 +64,16 @@ jobs: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - # Python code security - code-security: - runs-on: ubuntu-latest + codeql: + uses: ./.github/workflows/codeql.yml permissions: actions: read contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: ["python"] - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - languages: ${{ matrix.language }} - config-file: ./.github/codeql.yml - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - with: - category: "/language:${{matrix.language}}" # Create infrastructures and prepare tests create-infras: - needs: [code-security, build-containers, build-packages] + needs: [codeql, build-containers, build-packages] strategy: matrix: type: [docker, autoconf, swarm, k8s, linux] @@ -102,7 +85,7 @@ jobs: SECRET_KEY: ${{ secrets.SECRET_KEY }} K8S_IP: ${{ secrets.K8S_IP }} prepare-tests-core: - needs: [code-security, build-containers, build-packages] + needs: [codeql, build-containers, build-packages] runs-on: ubuntu-latest steps: - name: Checkout repository @@ -116,12 +99,12 @@ jobs: # Perform tests tests-ui: - needs: [code-security, build-containers] + needs: [codeql, build-containers] uses: ./.github/workflows/tests-ui.yml with: RELEASE: testing tests-ui-linux: - needs: [code-security, build-packages] + needs: [codeql, build-packages] uses: ./.github/workflows/tests-ui-linux.yml with: RELEASE: testing diff --git a/.github/workflows/tests-ui-linux.yml b/.github/workflows/tests-ui-linux.yml index 2bbc71ed..ac6612de 100644 --- a/.github/workflows/tests-ui-linux.yml +++ b/.github/workflows/tests-ui-linux.yml @@ -62,7 +62,7 @@ jobs: sudo apt update sudo apt install -y nginx=1.24.0-1~jammy - name: Fix version without a starting number - if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' + if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui' run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg - name: Install BunkerWeb run: sudo apt install -fy /tmp/bunkerweb.deb diff --git a/.github/workflows/ui.yml b/.github/workflows/ui.yml index 5850e6f7..dd2a33a6 100644 --- a/.github/workflows/ui.yml +++ b/.github/workflows/ui.yml @@ -33,9 +33,43 @@ jobs: DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} + # Build Linux packages + build-packages: + permissions: + contents: read + packages: write + strategy: + matrix: + linux: [ubuntu] + include: + - linux: ubuntu + package: deb + uses: ./.github/workflows/linux-build.yml + with: + RELEASE: ui + LINUX: ${{ matrix.linux }} + PACKAGE: ${{ matrix.package }} + TEST: true + PLATFORMS: linux/amd64 + secrets: + DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} + DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} + + codeql: + uses: ./.github/workflows/codeql.yml + permissions: + actions: read + contents: read + security-events: write + # UI tests tests-ui: - needs: [build-containers] + needs: [codeql, build-containers] uses: ./.github/workflows/tests-ui.yml with: RELEASE: ui + tests-ui-linux: + needs: [codeql, build-packages] + uses: ./.github/workflows/tests-ui-linux.yml + with: + RELEASE: ui