Merge branch 'main' into main

.github/dependabot.yml

@@ -5,12 +5,12 @@
 
 version: 2
 updates:
-  - package-ecosystem: "npm" 
+  - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
-      
-  - package-ecosystem: "github-actions" 
+
+  - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"

.github/workflows/lint.yaml

@@ -0,0 +1,31 @@
+name: Lint
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+
+  pre-commit:
+    name: pre-commit
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: 3.8
+
+      - name: Cache pre-commit
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/pre-commit
+          key: pre-commit-3|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }}
+
+      - name: Install pre-commit
+        run: pip3 install pre-commit
+
+      - name: Run pre-commit
+        run: pre-commit run --all-files --show-diff-on-failure --color always

.pre-commit-config.yaml

@@ -0,0 +1,6 @@
+repos:
+- repo: https://github.com/pre-commit/pre-commit-hooks
+  rev: v4.3.0
+  hooks:
+  - id: trailing-whitespace
+    files: (automation/|ci/|code-scanning/|deployments/|pages/).*(yaml|yml|json)$

README.md

@@ -50,3 +50,23 @@ These variables can be placed in the starter workflow and will be substituted as
 * `$default-branch`: will substitute the branch from the repository, for example `main` and `master`
 * `$protected-branches`: will substitute any protected branches from the repository
 * `$cron-daily`: will substitute a valid but random time within the day
+
+## How to test templates before publishing
+
+### Disable template for public
+The template author adds a `labels` array in the template's `properties.json` file with a label `preview`. This will hide the template from users, unless user uses query parameter `preview=true` in the URL.
+Example `properties.json` file:
+```json
+{
+    "name": "Node.js",
+    "description": "Build and test a Node.js project with npm.",
+    "iconName": "nodejs",
+    "categories": ["Continuous integration", "JavaScript", "npm", "React", "Angular", "Vue"],
+    "labels": ["preview"]
+}
+```
+
+For viewing the templates with `preview` label, provide query parameter `preview=true` to the  `new workflow` page URL. Eg. `https://github.com/<owner>/<repo_name>/actions/new?preview=true`.
+
+### Enable template for public
+Remove the `labels` array from `properties.json` file to publish the template to public

ci/ada.yml

@@ -17,7 +17,7 @@ jobs:
 
     - name: Set up GNAT toolchain
       run: >
-        sudo apt-get update && 
+        sudo apt-get update &&
         sudo apt-get install gnat gprbuild
 
     - name: Build

ci/cmake.yml

@@ -31,7 +31,7 @@ jobs:
 
     - name: Test
       working-directory: ${{github.workspace}}/build
-      # Execute tests defined by the CMake configuration.  
+      # Execute tests defined by the CMake configuration.
       # See https://cmake.org/cmake/help/latest/manual/ctest.1.html for more detail
       run: ctest -C ${{env.BUILD_TYPE}}
-      
+

ci/go-ossf-slsa3-publish.yml

@@ -3,10 +3,10 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# This workflow lets you compile your Go project using a SLSA3 compliant builder. 
-# This workflow will generate a so-called "provenance" file describing the steps 
+# This workflow lets you compile your Go project using a SLSA3 compliant builder.
+# This workflow will generate a so-called "provenance" file describing the steps
 # that were performed to generate the final binary.
-# The project is an initiative of the OpenSSF (openssf.org) and is developed at 
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
 # https://github.com/slsa-framework/slsa-github-generator.
 # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
 # For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
@@ -21,7 +21,7 @@ permissions: read-all
 
 jobs:
   # ========================================================================================================================================
-  #     Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.      
+  #     Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project.
   #       See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file
   #=========================================================================================================================================
   build:

ci/makefile.yml

@@ -13,15 +13,15 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    
+
     - name: configure
       run: ./configure
-      
+
     - name: Install dependencies
       run: make
-      
+
     - name: Run check
       run: make check
-      
+
     - name: Run distcheck
       run: make distcheck

ci/npm-grunt.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         node-version: [14.x, 16.x, 18.x]
-    
+
     steps:
     - uses: actions/checkout@v3
 

ci/npm-gulp.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         node-version: [14.x, 16.x, 18.x]
-    
+
     steps:
     - uses: actions/checkout@v3
 

ci/webpack.yml

@@ -13,7 +13,7 @@ jobs:
     strategy:
       matrix:
         node-version: [14.x, 16.x, 18.x]
-    
+
     steps:
     - uses: actions/checkout@v3
 

code-scanning/apisec-scan.yml

@@ -3,8 +3,8 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# APIsec addresses the critical need to secure APIs before they reach production. 
-# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. 
+# APIsec addresses the critical need to secure APIs before they reach production.
+# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
 # Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
 
 # How to Get Started with APIsec.ai
@@ -50,12 +50,12 @@ jobs:
   Trigger_APIsec_scan:
     permissions:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
 
     steps:
        - name: APIsec scan
-         uses: apisec-inc/apisec-run-scan@f62d0c6fae8a80f97b091a323befdb56e6ad9993
+         uses: apisec-inc/apisec-run-scan@f748a240d69ca6cd7e9532fd0a47bec4ccd6a73c
          with:
           # The APIsec username with which the scans will be executed
           apisec-username: ${{ secrets.apisec_username }}

code-scanning/brakeman.yml

@@ -25,7 +25,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Brakeman Scan
     runs-on: ubuntu-latest
     steps:

code-scanning/checkmarx-one.yml

@@ -0,0 +1,55 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# The Checkmarx One GitHub Action enables you to trigger SAST, SCA, and KICS scans directly from the GitHub workflow. 
+# It provides a wrapper around the Checkmarx One CLI Tool which creates a zip archive from your source code repository 
+# and uploads it to Checkmarx One for scanning. The Github Action provides easy integration with GitHub while enabling 
+# scan customization using the full functionality and flexibility of the CLI tool.
+
+# This is a basic workflow to help you get started with Using Checkmarx One Action, 
+# documentation can be found here : https://checkmarx.com/resource/documents/en/34965-68702-checkmarx-one-github-actions.html
+
+name: Checkmarx Scan
+
+# Controls when the workflow will run
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+    branches: [ $default-branch, $protected-branches ]
+
+permissions:
+  contents: read
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif
+
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # This step checks out a copy of your repository.
+      - name: Checkout repository
+        uses: actions/checkout@v3
+      # This step creates the Checkmarx One scan 
+      - name: Checkmarx One scan
+        uses: checkmarx/ast-github-action@8e887bb93dacc44e0f5b64ee2b06d5815f89d4fc
+        with:
+          base_uri: https://ast.checkmarx.net  # This should be replaced by your base uri for Checkmarx One
+          cx_client_id: ${{ secrets.CX_CLIENT_ID }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
+          cx_client_secret: ${{ secrets.CX_CLIENT_SECRET }} # This should be created within your Checkmarx One account : https://checkmarx.com/resource/documents/en/34965-118315-authentication-for-checkmarx-one-cli.html#UUID-a4e31a96-1f36-6293-e95a-97b4b9189060_UUID-4123a2ff-32d0-2287-8dd2-3c36947f675e
+          cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by your tenant for Checkmarx One
+          additional_params: --report-format sarif --output-path .
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: cx_result.sarif

code-scanning/checkmarx.yml

@@ -29,7 +29,7 @@ jobs:
       issues: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to github issues
       pull-requests: write # for checkmarx-ts/checkmarx-cxflow-github-action to write feedback to PR
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     runs-on: ubuntu-latest
 
     # Steps require - checkout code, run CxFlow Action, Upload SARIF report (optional)

code-scanning/clj-holmes.yml

@@ -16,15 +16,15 @@ on:
 
 permissions:
   contents: read
-  
+
 jobs:
   clj-holmes:
     name: Run clj-holmes scanning
     runs-on: ubuntu-latest
     permissions:
       contents: read
       security-events: write
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

code-scanning/clj-watson.yml

@@ -6,7 +6,7 @@
 # seeking for vulnerable direct/transitive dependencies and
 # build a report with all the information needed to help you
 # understand how the vulnerability manifest in your software.
-# More details at https://github.com/clj-holmes/clj-watson 
+# More details at https://github.com/clj-holmes/clj-watson
 
 name: clj-watson
 
@@ -29,7 +29,7 @@ jobs:
     permissions:
       contents: read
       security-events: write
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
@@ -40,7 +40,7 @@ jobs:
           clj-watson-sha: "65d928c"
           clj-watson-tag: "v4.0.1"
           database-strategy: github-advisory
-          aliases: clojure-lsp,test 
+          aliases: clojure-lsp,test
           deps-edn-path: deps.edn
           suggest-fix: true
           output-type: sarif

code-scanning/cloudrail.yml

@@ -9,7 +9,7 @@ on:
   push:
     branches: [ $default-branch, $protected-branches ]
   pull_request:
-    branches: [ $default-branch ]  
+    branches: [ $default-branch ]
   schedule:
     - cron: $cron-weekly
 
@@ -26,7 +26,7 @@ jobs:
       - name: Clone repo
         uses: actions/checkout@v3
 
-      # For Terraform, Cloudrail requires the plan as input. So we generate it using 
+      # For Terraform, Cloudrail requires the plan as input. So we generate it using
       # the Terraform core binary.
       - uses: hashicorp/setup-terraform@v1
         with:
@@ -53,6 +53,6 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always()
         # is needed to ensure the SARIF file is uploaded
-        if: always() 
+        if: always()
         with:
           sarif_file: cloudrail_results.sarif

code-scanning/codacy.yml

@@ -30,7 +30,7 @@ jobs:
     permissions:
       contents: read # for actions/checkout to fetch code
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Codacy Security Scan
     runs-on: ubuntu-latest
     steps:

code-scanning/codeql.yml

@@ -48,11 +48,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -61,7 +61,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

code-scanning/codescan.yml

@@ -25,7 +25,7 @@ jobs:
         permissions:
           contents: read # for actions/checkout to fetch code
           security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-          actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 
+          actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
         runs-on: ubuntu-latest
         steps:
             -   name: Checkout repository