From 8f7664dcf31f18b0a11380f0862ba740cc8439b5 Mon Sep 17 00:00:00 2001 From: Goetz Goerisch Date: Mon, 7 Oct 2024 15:57:16 +0200 Subject: [PATCH 1/4] refactor(ci): linting of workflows --- .github/workflows/build.yml | 15 ++++++-- .github/workflows/clean-images.yml | 10 ++++- .github/workflows/codeql-analysis.yml | 53 +++++++++++++++------------ .github/workflows/linter.yml | 8 ++-- 4 files changed, 54 insertions(+), 32 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 55876d68..754bbf73 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,12 +1,14 @@ --- name: Build - + on: push: pull_request: branches: [main, development] merge_group: - + +permissions: read-all + jobs: build-linux: strategy: @@ -51,6 +53,7 @@ jobs: cd build/Dashboard-Client-build || exit ctest -V -C "${{matrix.build_type}}" - name: Run integration test cacert_test + # yamllint disable rule:line-length run: | #! /bin/bash cd UmatiDashboardOpcUaClient/Tests/integration/cacert_test || exit @@ -58,9 +61,11 @@ jobs: cp "${{ github.workspace }}/build/Dashboard-Client-build/Tests/unit/TestCaCertificate" . docker compose up -d ./evaluateTest.sh + # yamllint enable rule:line-length - name: Upload Artefacts uses: actions/upload-artifact@v4 with: + # yamllint disable rule:line-length name: UmatiDashboardOpcUaClient-${{matrix.build_type}}-${{matrix.os}}-${{matrix.arch}} path: | ${{ env.CMAKE_INSTALL_PREFIX }}/bin @@ -71,6 +76,7 @@ jobs: name: dashboardopcuaclient-${{matrix.build_type}}-${{matrix.os}}-${{matrix.arch}}.deb path: | ${{ env.CMAKE_INSTALL_PREFIX }}/*.deb + # yamllint enable rule:line-length build-windows: strategy: matrix: @@ -114,15 +120,18 @@ jobs: - name: Upload Artefacts uses: actions/upload-artifact@v4 with: + # yamllint disable rule:line-length name: UmatiDashboardOpcUaClient-${{matrix.build_type}}-${{matrix.os}}-${{matrix.arch}} path: | ${{ env.CMAKE_INSTALL_PREFIX }}/bin ${{ env.CMAKE_INSTALL_PREFIX }}/share/DashboardOpcUaClient + # yamllint enable rule:line-length docker: runs-on: ubuntu-22.04 env: # Check if this is not a pull request and GITHUB_TOKEN is set - # As all env variables are strings, you need to compaire against "== 'true'" (not "== true") + # As all env variables are strings, you need to compare + # against "== 'true'" (not "== true") IS_NOT_PR: ${{ !github.head_ref && true }} steps: - name: Checkout Code diff --git a/.github/workflows/clean-images.yml b/.github/workflows/clean-images.yml index da949729..67fbce9f 100644 --- a/.github/workflows/clean-images.yml +++ b/.github/workflows/clean-images.yml @@ -4,7 +4,11 @@ on: workflow_dispatch: schedule: # * is a special character in YAML so you have to quote this string - - cron: '0 0 1 * *' + - cron: "0 0 1 * *" + +permissions: + contents: read + packages: write jobs: build: @@ -17,6 +21,7 @@ jobs: PER_PAGE: 100 with: + # yamllint disable rule:line-length github-token: ${{ secrets.DELETE_PACKAGES_TOKEN }} script: | const response = await github.request("GET /orgs/${{ github.repository_owner }}/packages/container/${{ env.PACKAGE_NAME }}/versions", @@ -28,4 +33,5 @@ jobs: const deleteResponse = await github.request("DELETE /orgs/${{ github.repository_owner }}/packages/container/${{ env.PACKAGE_NAME }}/versions/" + version.id, { }); console.log("status " + deleteResponse.status) } - } \ No newline at end of file + } + # yamllint enable rule:line-length diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 604f1dd8..93756ed7 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -14,12 +14,14 @@ name: "CodeQL" on: push: - branches: [ "development", main ] + branches: [development, main] pull_request: # The branches below must be a subset of the branches above - branches: [ "development" ] + branches: [development] schedule: - - cron: '0 3 * * 1' + - cron: "0 3 * * 1" + +permissions: read-all jobs: analyze: @@ -35,34 +37,37 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'cpp', 'python' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + language: ["cpp", "python"] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', + # 'python', 'ruby' ] Learn more about CodeQL language support + # at https://aka.ms/codeql-docs/language-support steps: - - name: Checkout ${{ github.repository }} - uses: actions/checkout@v4 - with: + - name: Checkout ${{ github.repository }} + uses: actions/checkout@v4 + with: submodules: recursive - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here + # or in a config file. By default, queries listed here will + # override any specified in a config file. Prefix the list + # here with "+" to use these queries and those in the config file. + # Details on CodeQL's query packs refer to : + # https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + queries: security-and-quality - - name: Build ${{ github.repository }} with dependencies - run: | + - name: Build ${{ github.repository }} with dependencies + run: | mkdir -p build cd build cmake ../.github/ \ -DCMAKE_INSTALL_PREFIX:PATH="${{ env.CMAKE_INSTALL_PREFIX }}" cmake --build . - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 \ No newline at end of file + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 3b57c925..e227086c 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -19,6 +19,8 @@ on: pull_request: branches: [main, develop] +permissions: read-all + ############### # Set the Job # ############### @@ -49,12 +51,12 @@ jobs: - name: Lint Code Base uses: super-linter/super-linter@v5.7.2 env: - VALIDATE_CPP: false # Use clang-formt instead + VALIDATE_CPP: false # Use clang-format instead VALIDATE_ALL_CODEBASE: false DEFAULT_BRANCH: main GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# CMake Format + # CMake Format cmake-format-linter: name: Lint Code Base (cmake-format-lint) runs-on: ubuntu-22.04 @@ -64,4 +66,4 @@ jobs: id: cmake-format uses: PuneetMatharu/cmake-format-lint-action@v1.0.4 with: - args: --config-files cmake-format.yaml \ No newline at end of file + args: --config-files cmake-format.yaml From b4eb4736c84353178925e0a4365ca144312cb67b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 8 Oct 2024 07:34:55 +0000 Subject: [PATCH 2/4] chore(deps): update super-linter/super-linter action to v7 --- .github/workflows/linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index e227086c..0c3a3118 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -49,7 +49,7 @@ jobs: # Run Linter against code base # ################################ - name: Lint Code Base - uses: super-linter/super-linter@v5.7.2 + uses: super-linter/super-linter@v7.1.0 env: VALIDATE_CPP: false # Use clang-format instead VALIDATE_ALL_CODEBASE: false From 863c9f7eb9854ea2704bf4d76ec7d38fe938cfce Mon Sep 17 00:00:00 2001 From: Goetz Goerisch Date: Fri, 11 Oct 2024 08:51:49 +0200 Subject: [PATCH 3/4] fix(ci): disable CHECKOV linter --- .github/workflows/linter.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 0c3a3118..1d928810 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -52,8 +52,10 @@ jobs: uses: super-linter/super-linter@v7.1.0 env: VALIDATE_CPP: false # Use clang-format instead + VALIDATE_CHECKOV: false # Disable CHECKOV checks for now + # TODO: Add HEALTHCHECK and USER to Dockerfiles VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: main + DEFAULT_BRANCH: development GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # CMake Format From 5d555b60024de2c4951f94b092364678a33c6619 Mon Sep 17 00:00:00 2001 From: Goetz Goerisch Date: Fri, 11 Oct 2024 09:18:08 +0200 Subject: [PATCH 4/4] fix(ci): set correct workflow permissions --- .github/workflows/build.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 754bbf73..65bd2593 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -127,6 +127,8 @@ jobs: ${{ env.CMAKE_INSTALL_PREFIX }}/share/DashboardOpcUaClient # yamllint enable rule:line-length docker: + permissions: + packages: write runs-on: ubuntu-22.04 env: # Check if this is not a pull request and GITHUB_TOKEN is set @@ -181,6 +183,8 @@ jobs: python -m unittest discover test_mqtt_sampleserver release: + permissions: + contents: write runs-on: ubuntu-22.04 needs: [build-linux, build-windows] if: startsWith(github.ref, 'refs/tags/')