librewolf
/
bunkerized-nginx
mirror of https://github.com/bunkerity/bunkerized-nginx
4
0
Fork 1
Code Issues Projects Releases Wiki Activity

Extract codeQL workflow to have a separate one + Add scorecards analysis workflow file + Add UI tests for the UI branch

This commit is contained in:
Théophile Diot 2023-09-28 09:02:31 +01:00
parent 1c71572f44
commit 4d50026744
No known key found for this signature in database
GPG Key ID: 248FEA4BAE400D06
9 changed files with 124 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/codeql.yml vendored
View File

@ -6,5 +6,7 @@ paths:
- src/ui - src/ui
- src/common - src/common
paths-ignore: paths-ignore:
- src/ui/static - src/ui/static/tsparticles.bundle.min.js
- src/ui/static/js/utils/flatpickr.js
- src/ui/static/js/editor
- src/common/core/modsecurity/files - src/common/core/modsecurity/files

31
.github/workflows/codeql.yml vendored Normal file
View File

@ -0,0 +1,31 @@
name: CodeQL Analysis
on:
schedule:
# Weekly on Saturdays.
- cron: "30 1 * * 6"
workflow_call:
jobs:
code-security:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["python", "javascript"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"

27
.github/workflows/dev.yml vendored
View File

@ -63,45 +63,28 @@ jobs:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# Python code security codeql:
code-security: uses: ./.github/workflows/codeql.yml
runs-on: ubuntu-latest
permissions: permissions:
actions: read actions: read
contents: read contents: read
security-events: write security-events: write
strategy:
fail-fast: false
matrix:
language: ["python"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
# UI tests # UI tests
tests-ui: tests-ui:
needs: [code-security, build-containers] needs: [codeql, build-containers]
uses: ./.github/workflows/tests-ui.yml uses: ./.github/workflows/tests-ui.yml
with: with:
RELEASE: dev RELEASE: dev
tests-ui-linux: tests-ui-linux:
needs: [code-security, build-packages] needs: [codeql, build-packages]
uses: ./.github/workflows/tests-ui-linux.yml uses: ./.github/workflows/tests-ui-linux.yml
with: with:
RELEASE: dev RELEASE: dev
# Core tests # Core tests
prepare-tests-core: prepare-tests-core:
needs: [code-security, build-containers, build-packages] needs: [codeql, build-containers, build-packages]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repository - name: Checkout repository

4
.github/workflows/linux-build.yml vendored
View File

@ -39,7 +39,7 @@ jobs:
- name: Checkout source code - name: Checkout source code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Replace VERSION - name: Replace VERSION
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
run: ./misc/update-version.sh ${{ inputs.RELEASE }} run: ./misc/update-version.sh ${{ inputs.RELEASE }}
- name: Extract arch - name: Extract arch
run: | run: |
@ -91,7 +91,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
# Build testing package image # Build testing package image
- name: Build package image - name: Build package image
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
uses: docker/build-push-action@v5 uses: docker/build-push-action@v5
with: with:
context: . context: .

12
.github/workflows/release.yml vendored
View File

@ -7,6 +7,16 @@ on:
branches: [master] branches: [master]
jobs: jobs:
scorecards-analysis:
uses: ./.github/workflows/scorecards-analysis.yml
codeql:
uses: ./.github/workflows/codeql.yml
permissions:
actions: read
contents: read
security-events: write
# Build amd64 + 386 containers images # Build amd64 + 386 containers images
build-containers: build-containers:
strategy: strategy:
@ -123,7 +133,7 @@ jobs:
# Wait for all builds and extract VERSION # Wait for all builds and extract VERSION
wait-builds: wait-builds:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [build-containers, build-containers-arm, build-packages] needs: [codeql, build-containers, build-containers-arm, build-packages]
outputs: outputs:
version: ${{ steps.getversion.outputs.version }} version: ${{ steps.getversion.outputs.version }}
versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }} versionrpm: ${{ steps.getversionrpm.outputs.versionrpm }}

30
.github/workflows/scorecards-analysis.yml vendored Normal file
View File

@ -0,0 +1,30 @@
name: Scorecard analysis workflow
on:
branch_protection_rule:
schedule:
# Weekly on Saturdays.
- cron: "30 1 * * 6"
workflow_call:
permissions: read-all
jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-latest
steps:
- name: "Checkout code"
uses: actions/checkout@v4
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@v2.2.0
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- name: "Upload SARIF results to code scanning"
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

29
.github/workflows/staging.yml vendored
View File

@ -64,33 +64,16 @@ jobs:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# Python code security codeql:
code-security: uses: ./.github/workflows/codeql.yml
runs-on: ubuntu-latest
permissions: permissions:
actions: read actions: read
contents: read contents: read
security-events: write security-events: write
strategy:
fail-fast: false
matrix:
language: ["python"]
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
config-file: ./.github/codeql.yml
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
# Create infrastructures and prepare tests # Create infrastructures and prepare tests
create-infras: create-infras:
needs: [code-security, build-containers, build-packages] needs: [codeql, build-containers, build-packages]
strategy: strategy:
matrix: matrix:
type: [docker, autoconf, swarm, k8s, linux] type: [docker, autoconf, swarm, k8s, linux]
@ -102,7 +85,7 @@ jobs:
SECRET_KEY: ${{ secrets.SECRET_KEY }} SECRET_KEY: ${{ secrets.SECRET_KEY }}
K8S_IP: ${{ secrets.K8S_IP }} K8S_IP: ${{ secrets.K8S_IP }}
prepare-tests-core: prepare-tests-core:
needs: [code-security, build-containers, build-packages] needs: [codeql, build-containers, build-packages]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout repository - name: Checkout repository
@ -116,12 +99,12 @@ jobs:
# Perform tests # Perform tests
tests-ui: tests-ui:
needs: [code-security, build-containers] needs: [codeql, build-containers]
uses: ./.github/workflows/tests-ui.yml uses: ./.github/workflows/tests-ui.yml
with: with:
RELEASE: testing RELEASE: testing
tests-ui-linux: tests-ui-linux:
needs: [code-security, build-packages] needs: [codeql, build-packages]
uses: ./.github/workflows/tests-ui-linux.yml uses: ./.github/workflows/tests-ui-linux.yml
with: with:
RELEASE: testing RELEASE: testing

2
.github/workflows/tests-ui-linux.yml vendored
View File

@ -62,7 +62,7 @@ jobs:
sudo apt update sudo apt update
sudo apt install -y nginx=1.24.0-1~jammy sudo apt install -y nginx=1.24.0-1~jammy
- name: Fix version without a starting number - name: Fix version without a starting number
if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' if: inputs.RELEASE == 'testing' || inputs.RELEASE == 'dev' || inputs.RELEASE == 'ui'
run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg run: echo "force-bad-version" | sudo tee -a /etc/dpkg/dpkg.cfg
- name: Install BunkerWeb - name: Install BunkerWeb
run: sudo apt install -fy /tmp/bunkerweb.deb run: sudo apt install -fy /tmp/bunkerweb.deb

36
.github/workflows/ui.yml vendored
View File

@ -33,9 +33,43 @@ jobs:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
# Build Linux packages
build-packages:
permissions:
contents: read
packages: write
strategy:
matrix:
linux: [ubuntu]
include:
- linux: ubuntu
package: deb
uses: ./.github/workflows/linux-build.yml
with:
RELEASE: ui
LINUX: ${{ matrix.linux }}
PACKAGE: ${{ matrix.package }}
TEST: true
PLATFORMS: linux/amd64
secrets:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
codeql:
uses: ./.github/workflows/codeql.yml
permissions:
actions: read
contents: read
security-events: write
# UI tests # UI tests
tests-ui: tests-ui:
needs: [build-containers] needs: [codeql, build-containers]
uses: ./.github/workflows/tests-ui.yml uses: ./.github/workflows/tests-ui.yml
with: with:
RELEASE: ui RELEASE: ui
tests-ui-linux:
needs: [codeql, build-packages]
uses: ./.github/workflows/tests-ui-linux.yml
with:
RELEASE: ui