TheJumpCloud · rcasperson-jc · Aug 29, 2024 · Sep 13, 2024 · Sep 16, 2024 · Sep 16, 2024
@@ -0,0 +1,151 @@
+# This was manually copied from JumpCloud's internal actions repository.
+# It may need to be updated from time to time.
+# Latest Update: 9/16/2024
+
+name: "Upload Secure Artifact"
+description: "Upload an artifact, but only after it has been scanned for secrets, etc."
+inputs:
+  name:
+    description: "Name of the artifact to upload"
+    required: true
+  path:
+    description: |
+      Path to the artifact to upload.
+      This can be a file or a directory.
+      Multiple paths can be provided by separating them with a space.
+      Note: This does not match exactly the use of `path` in actions/upload-artifact.
+    required: true
+
+  # These inputs are optional. They defaults match the defaults of the actions/upload-artifact action@v4 as of 8/27/2024.
+  # See https://github.com/actions/upload-artifact?tab=readme-ov-file#inputs
+  if-no-files-found:
+    required: false
+    default: warn
+  retention-days:
+    required: false
+    # Duration after which artifact will expire in days. 0 means using default retention.
+    default: 0
+  compression-level:
+    required: false
+    default: 6
+  overwrite:
+    required: false
+    default: false
+
+runs:
+  using: "composite"
+
+  steps:
+      - name: Check out Gitleaks
+        uses: actions/checkout@v4
+        with:
+          repository: gitleaks/gitleaks
+          path: gitleaks
+          fetch-depth: 1
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 1.23
+      # macOs runners use bash<4, which doesn't support double asterisks in globs.
+      # Update the bash version here since we need it.
+      - name: Configure Bash - macOS
+        if: runner.os == 'macOS'
+        run: |
+          brew install bash
+          /bin/bash --version
+        shell: bash
+      - name: Install Gitleaks
+        run: |
+          ### Install Gitleaks ###
+          # Set ARTIFACTS_DIR to something that should not collide with any real path in a repo.
+          ARTIFACTS_DIR="./__artifacts"
+          SCAN_DIR="${ARTIFACTS_DIR}_scan"
+          echo "ARTIFACTS_DIR=${ARTIFACTS_DIR}" >> ${GITHUB_ENV}
+          echo "SCAN_DIR=${SCAN_DIR}" >> ${GITHUB_ENV}
+          echo "GITLEAKS_SOURCE=${SCAN_DIR}" >> ${GITHUB_ENV}
+          case ${{ runner.os }} in
+            Windows)
+              echo "GITLEAKS_COMMAND=gitleaks/gitleaks.exe" >> ${GITHUB_ENV}
+              ;;
+            Linux|macOS)
+              echo "GITLEAKS_COMMAND=gitleaks/gitleaks" >> ${GITHUB_ENV}
+              ;;
+            *)
+              echo "Unsupported OS: ${{ runner.os }}"
+              exit 1
+              ;;
+          esac
+
+          cd gitleaks
+          make build
+        shell: bash
+      - name: Scan Artifacts
+        id: scan-artifacts
+        run: |
+          ### Scan Artifacts ###
+          # Ensure that double asterisks are expanded
+          shopt -s globstar
+          expanded_path=$(echo ${{ inputs.path }})
+
+          # Create a directory to store the artifacts
+          mkdir -p "${ARTIFACTS_DIR}"
+          # Copy the artifact to the artifacts directory
+          for path in ${expanded_path}; do
+            echo "Copying path: $path"
+            if [[ ! -e $path ]]; then
+              echo "Skipping non-existent path: $path"
+              continue
+            fi
+            if [[ -d $path ]]; then
+              cp -r $path "${ARTIFACTS_DIR}"
+            else
+              cp $path "${ARTIFACTS_DIR}"
+            fi
+          done
+          # Run the gitleaks scan if ARTIFACTS_DIR is not empty
+          if [ "$(ls -A ${ARTIFACTS_DIR})" ]; then
+            # Create a copy of the artifacts directory for scanning only
+            cp -r "${ARTIFACTS_DIR}" "${SCAN_DIR}"
+            # Unzip any .zip files in ARTIFACTS_DIR
+            # Check if there are .zip files in SCAN_DIR
+            if [ -n "$(find ${SCAN_DIR} -maxdepth 1 -name '*.zip' -print -quit)" ]; then
+              for file in ${SCAN_DIR}/*.zip; do
+                echo "Unzipping $file for scanning"
+                unzip -q $file -d ${SCAN_DIR}
+                rm $file
+              done
+            fi
+
+            ${GITLEAKS_COMMAND} detect --source="${GITLEAKS_SOURCE}" -f -v -f json --no-git || exit_code=$?
+            if [[ $exit_code -ne 0 ]]; then
+              echo "Gitleaks scan failed. It is unsafe to upload the artifacts as requested."
+              echo "To see the scan results, you have to replicate the artifacts and scan locally."
+              echo "See this link for more information: https://jumpcloud.atlassian.net/wiki/spaces/ED/pages/2135654401/GitHub+Actions#Uploading-Artifacts"
+              exit 1
+            fi
+            echo "artifacts-exist=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "${ARTIFACTS_DIR} is empty. Skipping scan and upload."
+            echo "artifacts-exist=false" >> "${GITHUB_OUTPUT}"
+          fi
+        shell: bash
+      - name: Upload Secure Artifacts
+        if: steps.scan-artifacts.outputs.artifacts-exist == 'true'
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.name }}
+          path: ${{ env.ARTIFACTS_DIR }}
+          if-no-files-found: ${{ inputs.if-no-files-found }}
+          retention-days: ${{ inputs.retention-days }}
+          compression-level: ${{ inputs.compression-level }}
+          overwrite: ${{ inputs.overwrite }}
+      - name: Clean Up Tmp Artifacts Directory
+        run: |
+          ### Clean Up Tmp Artifacts Directory ###
+          # Remove the artifacts directory in case this action is used multiple times in the same job.
+          rm -rf "${ARTIFACTS_DIR}"
+        shell: bash
+      - name: Clean Up gitleaks
+        run: |
+          ### Clean Up gitleaks ###
+          rm -rf gitleaks
+        shell: bash
@@ -122,15 +122,10 @@ jobs:
         run: |
           . "${{ github.workspace }}/Deploy/build.ps1" -ModuleVersionType $env:RELEASE_TYPE -ModuleName "JumpCloud.ADMU"
       - name: Upload Nuspec
-        uses: actions/upload-artifact@v3
+        uses: ./.github/actions/upload-secure-artifact
         with:
           name: jumpcloud-admu-build
-          path: |
-            ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec
-            ${{ github.workspace }}/Jumpcloud-ADMU/Docs/*.md
-            ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe
-            ${{ github.workspace }}/Jumpcloud-ADMU/Powershell/Form.ps1
-            ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.psd1
+          path: ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec ${{ github.workspace }}/Jumpcloud-ADMU/Docs/*.md ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe ${{ github.workspace }}/Jumpcloud-ADMU/Powershell/Form.ps1 ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.psd1
           retention-days: 1
   Test-Module:
     needs: ["Setup-Build-Dependancies", "Check-PR-Labels", "Build-Module"]
@@ -143,7 +138,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - name: Download artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: jumpcloud-admu-build
       - uses: actions/cache@v4

@@ -168,21 +168,20 @@ jobs:
           SM_HOST: ${{ secrets.SM_HOST }}
           region: ${{ secrets.AWS_REGION }}
           version: ${{ env.RELEASE_VERSION }}
-      - name: Upload Release Artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: jumpcloud-admu
-          path: |
-            ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe
-            ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec
-            ${{ github.workspace }}/JumpCloud.ADMU.*.nupkg
+      - run: pwd
+        shell: bash
+      # - name: Upload Release Artifacts
+      #   uses: D:/a/jumpcloud-ADMU/jumpcloud-ADMU/github/actions/upload-secure-artifact
+      #   with:
+      #     name: jumpcloud-admu
+      #     path: ${{ github.workspace }}/Jumpcloud-ADMU/Exe/*.exe ${{ github.workspace }}/Jumpcloud-ADMU/JumpCloud.ADMU.nuspec ${{ github.workspace }}/JumpCloud.ADMU.*.nupkg
   Draft-GH-Release:
     needs: [Build-Sign-ADMU]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - name: Download ADMU artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: jumpcloud-admu
       - name: Build Draft Release
@@ -211,7 +210,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download ADMU artifact
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: jumpcloud-admu
       - name: Publish

@@ -13,7 +13,7 @@
 
     # Version number of this module.
 
-    ModuleVersion     = '2.7.6'
+    ModuleVersion     = '2.7.7'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()

@@ -153,7 +153,7 @@ function show-mtpSelection {
 <Window
         xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
         xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
-        Title="JumpCloud ADMU 2.7.6"
+        Title="JumpCloud ADMU 2.7.7"
         WindowStyle="SingleBorderWindow"
         ResizeMode="NoResize"
         Background="White" ScrollViewer.VerticalScrollBarVisibility="Visible" ScrollViewer.HorizontalScrollBarVisibility="Visible" Width="1020" Height="590">

@@ -37,7 +37,7 @@ function New-ProgressForm {
     <Window
     xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
     xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
-    Name="Window" Title="JumpCloud ADMU 2.7.6"
+    Name="Window" Title="JumpCloud ADMU 2.7.7"
     WindowStyle="SingleBorderWindow"
     ResizeMode="NoResize"
     Background="White" Width="720" Height="550  ">

@@ -1883,7 +1883,7 @@ Function Start-Migration {
         $AGENT_INSTALLER_URL = "https://cdn02.jumpcloud.com/production/jcagent-msi-signed.msi"
         $AGENT_INSTALLER_PATH = "$windowsDrive\windows\Temp\JCADMU\jcagent-msi-signed.msi"
         $AGENT_CONF_PATH = "$($AGENT_PATH)\Plugins\Contrib\jcagent.conf"
-        $admuVersion = '2.7.6'
+        $admuVersion = '2.7.7'
 
         $script:AdminDebug = $AdminDebug
         $isForm = $PSCmdlet.ParameterSetName -eq "form"