diff --git a/.github/archived/ci-main-pull-request-checks-stub.yml b/.github/archived/ci-main-pull-request-checks-stub.yml index 8bb7ceb..48b45ca 100644 --- a/.github/archived/ci-main-pull-request-checks-stub.yml +++ b/.github/archived/ci-main-pull-request-checks-stub.yml @@ -32,4 +32,4 @@ jobs: perform-sonarqube-sca-scan: true perform-blackduck-coverity: false perform-blackduck-polaris: true - generate-sbom: true \ No newline at end of file + generate-sbom: true diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 59b5868..9bcf0ab 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -7,17 +7,17 @@ name: CI Pull Request on Main Branch on: pull_request: - branches: [ main, release/** ] + branches: [ nikhil/enable-blackduck-sca, release/** ] push: - branches: [ main, release/** ] + branches: [ nikhil/enable-blackduck-sca, release/** ] workflow_dispatch: permissions: contents: read - + env: - STUB_VERSION: "1.0.4" + STUB_VERSION: "1.0.5" jobs: echo_version: @@ -29,20 +29,21 @@ jobs: echo "CI main pull request stub version $STUB_VERSION" call-ci-main-pr-check-pipeline: - uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/create-lock-file-runtime secrets: inherit - permissions: + permissions: id-token: write contents: read - with: + with: visibility: ${{ github.event.repository.visibility }} # private, public, or internal # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '4.2.3' # ${{ github.event.repository.version }} + version: '4.2.5' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name + language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting # complexity-checks perform-complexity-checks: true @@ -51,34 +52,34 @@ jobs: # trufflehog secret scanning perform-trufflehog-scan: true - - # ADDED TRIVY SCAN + + # trivy dependency and container scanning perform-trivy-scan: true - + # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST) # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN perform-blackduck-polaris: true - polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other - polaris-project-name: 'chef-vault' - polaris-blackduck-executable: 'path/to/blackduck/binary' - polaris-executable-detect-path: 'path/to/detect' - + polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product + polaris-project-name: ${{ github.event.repository.name }} + # polaris-blackduck-executable: 'path/to/blackduck/binary' + # polaris-executable-detect-path: 'path/to/detect' + # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language - build: false - # ga-build-profile: $chef-ga-build-profile + build: true + # ga-build-profile: $chef-ga-build-profile # language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA unit-tests: false - + # perform SonarQube scan, with or wihout unit test coverage data # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) perform-sonarqube-scan: true # perform-sonar-build: true - # build-profile: 'default' + # build-profile: 'default' # report-unit-test-coverage: true # report to central developer dashboard report-to-atlassian-dashboard: false - quality-product-name: 'Chef-Infra-Client' # product name for quality reporting, like Chef360, Courier, Inspec + quality-product-name: 'Chef-Agents' # product name for quality reporting, like Chef360, Courier, Inspec # quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec # quality-sonar-app-name: 'YourSonarAppName' # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security @@ -92,15 +93,17 @@ jobs: # generate and export Software Bill of Materials (SBOM) in various formats generate-sbom: true - export-github-sbom: true # SPDX JSON artifact on job instance - perform-blackduck-sca-scan: false # combined with generate sbom & generate github-sbom, also needs version above - blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services' + export-github-sbom: true # SPDX JSON artifact on job instance + perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above + blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name - generate-blackduck-sbom: false # obsolete, use perform-blackduck-sca-scan instead - + generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead + + run-bundle-install: true + generate-msft-sbom: false license_scout: false # Run license scout for license compliance (uses .license_scout.yml) # udf1: 'default' # user defined flag 1 - # udf2: 'default' # user defined flag 2 - # udf3: 'default' # user defined flag 3 \ No newline at end of file + # udf2: 'default' # user defined flag 2 + # udf3: 'default' # user defined flag 3