diff --git a/.github/actions/upload-secure-artifact/action.yml b/.github/actions/upload-secure-artifact/action.yml new file mode 100755 index 00000000..9494b3ab --- /dev/null +++ b/.github/actions/upload-secure-artifact/action.yml @@ -0,0 +1,151 @@ +# This was manually copied from JumpCloud's internal actions repository. +# It may need to be updated from time to time. +# Latest Update: 9/16/2024 + +name: "Upload Secure Artifact" +description: "Upload an artifact, but only after it has been scanned for secrets, etc." +inputs: + name: + description: "Name of the artifact to upload" + required: true + path: + description: | + Path to the artifact to upload. + This can be a file or a directory. + Multiple paths can be provided by separating them with a space. + Note: This does not match exactly the use of `path` in actions/upload-artifact. + required: true + + # These inputs are optional. They defaults match the defaults of the actions/upload-artifact action@v4 as of 8/27/2024. + # See https://github.com/actions/upload-artifact?tab=readme-ov-file#inputs + if-no-files-found: + required: false + default: warn + retention-days: + required: false + # Duration after which artifact will expire in days. 0 means using default retention. + default: 0 + compression-level: + required: false + default: 6 + overwrite: + required: false + default: false + +runs: + using: "composite" + + steps: + - name: Check out Gitleaks + uses: actions/checkout@v4 + with: + repository: gitleaks/gitleaks + path: gitleaks + fetch-depth: 1 + - uses: actions/setup-go@v5 + with: + go-version: 1.23 + # macOs runners use bash<4, which doesn't support double asterisks in globs. + # Update the bash version here since we need it. + - name: Configure Bash - macOS + if: runner.os == 'macOS' + run: | + brew install bash + /bin/bash --version + shell: bash + - name: Install Gitleaks + run: | + ### Install Gitleaks ### + # Set ARTIFACTS_DIR to something that should not collide with any real path in a repo. + ARTIFACTS_DIR="./__artifacts" + SCAN_DIR="${ARTIFACTS_DIR}_scan" + echo "ARTIFACTS_DIR=${ARTIFACTS_DIR}" >> ${GITHUB_ENV} + echo "SCAN_DIR=${SCAN_DIR}" >> ${GITHUB_ENV} + echo "GITLEAKS_SOURCE=${SCAN_DIR}" >> ${GITHUB_ENV} + case ${{ runner.os }} in + Windows) + echo "GITLEAKS_COMMAND=gitleaks/gitleaks.exe" >> ${GITHUB_ENV} + ;; + Linux|macOS) + echo "GITLEAKS_COMMAND=gitleaks/gitleaks" >> ${GITHUB_ENV} + ;; + *) + echo "Unsupported OS: ${{ runner.os }}" + exit 1 + ;; + esac + + cd gitleaks + make build + shell: bash + - name: Scan Artifacts + id: scan-artifacts + run: | + ### Scan Artifacts ### + # Ensure that double asterisks are expanded + shopt -s globstar + expanded_path=$(echo ${{ inputs.path }}) + + # Create a directory to store the artifacts + mkdir -p "${ARTIFACTS_DIR}" + # Copy the artifact to the artifacts directory + for path in ${expanded_path}; do + echo "Copying path: $path" + if [[ ! -e $path ]]; then + echo "Skipping non-existent path: $path" + continue + fi + if [[ -d $path ]]; then + cp -r $path "${ARTIFACTS_DIR}" + else + cp $path "${ARTIFACTS_DIR}" + fi + done + # Run the gitleaks scan if ARTIFACTS_DIR is not empty + if [ "$(ls -A ${ARTIFACTS_DIR})" ]; then + # Create a copy of the artifacts directory for scanning only + cp -r "${ARTIFACTS_DIR}" "${SCAN_DIR}" + # Unzip any .zip files in ARTIFACTS_DIR + # Check if there are .zip files in SCAN_DIR + if [ -n "$(find ${SCAN_DIR} -maxdepth 1 -name '*.zip' -print -quit)" ]; then + for file in ${SCAN_DIR}/*.zip; do + echo "Unzipping $file for scanning" + unzip -q $file -d ${SCAN_DIR} + rm $file + done + fi + + ${GITLEAKS_COMMAND} detect --source="${GITLEAKS_SOURCE}" -f -v -f json --no-git || exit_code=$? + if [[ $exit_code -ne 0 ]]; then + echo "Gitleaks scan failed. It is unsafe to upload the artifacts as requested." + echo "To see the scan results, you have to replicate the artifacts and scan locally." + echo "See this link for more information: https://jumpcloud.atlassian.net/wiki/spaces/ED/pages/2135654401/GitHub+Actions#Uploading-Artifacts" + exit 1 + fi + echo "artifacts-exist=true" >> "${GITHUB_OUTPUT}" + else + echo "${ARTIFACTS_DIR} is empty. Skipping scan and upload." + echo "artifacts-exist=false" >> "${GITHUB_OUTPUT}" + fi + shell: bash + - name: Upload Secure Artifacts + if: steps.scan-artifacts.outputs.artifacts-exist == 'true' + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.name }} + path: ${{ env.ARTIFACTS_DIR }} + if-no-files-found: ${{ inputs.if-no-files-found }} + retention-days: ${{ inputs.retention-days }} + compression-level: ${{ inputs.compression-level }} + overwrite: ${{ inputs.overwrite }} + - name: Clean Up Tmp Artifacts Directory + run: | + ### Clean Up Tmp Artifacts Directory ### + # Remove the artifacts directory in case this action is used multiple times in the same job. + rm -rf "${ARTIFACTS_DIR}" + shell: bash + - name: Clean Up gitleaks + run: | + ### Clean Up gitleaks ### + rm -rf gitleaks + shell: bash diff --git a/.github/workflows/admu-ci.yml b/.github/workflows/admu-ci.yml index d73711bb..77955540 100644 --- a/.github/workflows/admu-ci.yml +++ b/.github/workflows/admu-ci.yml @@ -122,15 +122,10 @@ jobs: run: | . "${{ github.workspace }}/Deploy/build.ps1" -ModuleVersionType $env:RELEASE_TYPE -ModuleName "JumpCloud.ADMU" - name: Upload Nuspec - uses: actions/upload-artifact@v3 + uses: ./.github/actions/upload-secure-artifact with: name: jumpcloud-admu-build - path: | - ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec - ${{ github.workspace }}/Jumpcloud-ADMU/Docs/*.md - ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe - ${{ github.workspace }}/Jumpcloud-ADMU/Powershell/Form.ps1 - ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.psd1 + path: ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec ${{ github.workspace }}/Jumpcloud-ADMU/Docs/*.md ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe ${{ github.workspace }}/Jumpcloud-ADMU/Powershell/Form.ps1 ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.psd1 retention-days: 1 Test-Module: needs: ["Setup-Build-Dependancies", "Check-PR-Labels", "Build-Module"] @@ -143,7 +138,7 @@ jobs: steps: - uses: actions/checkout@v4 - name: Download artifacts - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: jumpcloud-admu-build - uses: actions/cache@v4 diff --git a/.github/workflows/admu-release.yml b/.github/workflows/admu-release.yml index 55153bf4..e2a35aa4 100644 --- a/.github/workflows/admu-release.yml +++ b/.github/workflows/admu-release.yml @@ -168,21 +168,20 @@ jobs: SM_HOST: ${{ secrets.SM_HOST }} region: ${{ secrets.AWS_REGION }} version: ${{ env.RELEASE_VERSION }} - - name: Upload Release Artifacts - uses: actions/upload-artifact@v3 - with: - name: jumpcloud-admu - path: | - ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe - ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec - ${{ github.workspace }}/JumpCloud.ADMU.*.nupkg + - run: pwd + shell: bash + # - name: Upload Release Artifacts + # uses: D:/a/jumpcloud-ADMU/jumpcloud-ADMU/github/actions/upload-secure-artifact + # with: + # name: jumpcloud-admu + # path: ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec ${{ github.workspace }}/JumpCloud.ADMU.*.nupkg Draft-GH-Release: needs: [Build-Sign-ADMU] runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Download ADMU artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: jumpcloud-admu - name: Build Draft Release @@ -211,7 +210,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Download ADMU artifact - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: name: jumpcloud-admu - name: Publish diff --git a/jumpcloud-ADMU/JumpCloud.ADMU.psd1 b/jumpcloud-ADMU/JumpCloud.ADMU.psd1 index b550fe96..c3e97f66 100644 --- a/jumpcloud-ADMU/JumpCloud.ADMU.psd1 +++ b/jumpcloud-ADMU/JumpCloud.ADMU.psd1 @@ -13,7 +13,7 @@ # Version number of this module. - ModuleVersion = '2.7.6' + ModuleVersion = '2.7.7' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/jumpcloud-ADMU/Powershell/Form.ps1 b/jumpcloud-ADMU/Powershell/Form.ps1 index 46d41f7e..344b2fd5 100644 --- a/jumpcloud-ADMU/Powershell/Form.ps1 +++ b/jumpcloud-ADMU/Powershell/Form.ps1 @@ -153,7 +153,7 @@ function show-mtpSelection { diff --git a/jumpcloud-ADMU/Powershell/ProgressForm.ps1 b/jumpcloud-ADMU/Powershell/ProgressForm.ps1 index 21c3ecec..e1c1ce7b 100644 --- a/jumpcloud-ADMU/Powershell/ProgressForm.ps1 +++ b/jumpcloud-ADMU/Powershell/ProgressForm.ps1 @@ -37,7 +37,7 @@ function New-ProgressForm { diff --git a/jumpcloud-ADMU/Powershell/Start-Migration.ps1 b/jumpcloud-ADMU/Powershell/Start-Migration.ps1 index 190fcbf9..7204bb69 100644 --- a/jumpcloud-ADMU/Powershell/Start-Migration.ps1 +++ b/jumpcloud-ADMU/Powershell/Start-Migration.ps1 @@ -1883,7 +1883,7 @@ Function Start-Migration { $AGENT_INSTALLER_URL = "https://cdn02.jumpcloud.com/production/jcagent-msi-signed.msi" $AGENT_INSTALLER_PATH = "$windowsDrive\windows\Temp\JCADMU\jcagent-msi-signed.msi" $AGENT_CONF_PATH = "$($AGENT_PATH)\Plugins\Contrib\jcagent.conf" - $admuVersion = '2.7.6' + $admuVersion = '2.7.7' $script:AdminDebug = $AdminDebug $isForm = $PSCmdlet.ParameterSetName -eq "form"