From 398af6892aae9cf933ad4159785e95e64923038a Mon Sep 17 00:00:00 2001 From: Zhiwei Liang Date: Wed, 18 Dec 2024 13:58:18 -0500 Subject: [PATCH 1/2] Add security workflows --- .github/workflows/codeql.yml | 39 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 19 ++++++++++++ 2 files changed, 58 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..de49ed0c --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,39 @@ +name: "CodeQL Advanced" + +on: + push: + branches: [ "dev", "main", "proj/*" ] + pull_request: + branches: [ "dev", "main", "proj/*" ] + schedule: + - cron: '0 13 * * 5' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..bf9f46d8 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,19 @@ +name: 'Dependency review' +on: + pull_request: + branches: [ "dev", "main", "proj/*" ] + +permissions: + contents: read + pull-requests: write + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + comment-summary-in-pr: on-failure From ca9af1bc371a5eccbed809cbab4c0dadfbb98463 Mon Sep 17 00:00:00 2001 From: Zhiwei Liang Date: Wed, 18 Dec 2024 17:56:43 -0500 Subject: [PATCH 2/2] Remove apt install steps in all workflows --- .github/workflows/docs.yml | 12 ------------ .github/workflows/integration-tests.yml | 3 --- .github/workflows/nightly-smoke-tests.yml | 3 --- 3 files changed, 18 deletions(-) diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 754d0506..1df2f9d5 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -17,12 +17,6 @@ jobs: with: path: .ansible/collections/ansible_collections/linode/cloud - - name: update packages - run: sudo apt-get update -y - - - name: install packages - run: sudo apt-get install -y make - - name: setup python 3 uses: actions/setup-python@v5 with: @@ -60,12 +54,6 @@ jobs: with: path: .ansible/collections/ansible_collections/linode/cloud - - name: update packages - run: sudo apt-get update -y - - - name: install packages - run: sudo apt-get install -y make - - name: setup python 3 uses: actions/setup-python@v5 with: diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 051ea283..64f6a45d 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -40,9 +40,6 @@ jobs: fetch-depth: 0 submodules: 'recursive' - - name: Update packages - run: sudo apt-get update -y - - name: Setup Python 3 uses: actions/setup-python@v5 with: diff --git a/.github/workflows/nightly-smoke-tests.yml b/.github/workflows/nightly-smoke-tests.yml index 888aae95..9e503542 100644 --- a/.github/workflows/nightly-smoke-tests.yml +++ b/.github/workflows/nightly-smoke-tests.yml @@ -28,9 +28,6 @@ jobs: fetch-depth: 0 submodules: 'recursive' - - name: Update packages - run: sudo apt-get update -y - - name: Setup Python 3 uses: actions/setup-python@v5 with: