From e7573f97d364ab65af1d10468028b4894de66ef0 Mon Sep 17 00:00:00 2001
From: Mike Dial <48921055+mdial89f@users.noreply.github.com>
Date: Tue, 12 Dec 2023 14:00:20 -0500
Subject: [PATCH] feat(snyk support): Changes to use Snyk for dependencies,
licenses, and code analysis (#257)
* Add logic to set any snyk- branch to stage name snyk, for character length limits
* Remove OBE workflow that was largely unused
* remove OBE workflow, replaced by snyk check
* Remove codeql in favor of snyk
* Update badge
* bump
---
.github/workflows/codeql.yml | 80 -------------------------
.github/workflows/dependency-review.yml | 22 -------
.github/workflows/dependency-update.yml | 68 ---------------------
.github/workflows/deploy.yml | 20 +++----
.github/workflows/destroy.yml | 6 +-
.github/workflows/workspace-setup.yml | 4 +-
README.md | 4 +-
7 files changed, 17 insertions(+), 187 deletions(-)
delete mode 100644 .github/workflows/codeql.yml
delete mode 100644 .github/workflows/dependency-review.yml
delete mode 100644 .github/workflows/dependency-update.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
deleted file mode 100644
index b80384406e..0000000000
--- a/.github/workflows/codeql.yml
+++ /dev/null
@@ -1,80 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
- push:
- branches: ["master", production, val]
- pull_request:
- # The branches below must be a subset of the branches above
- branches: ["master"]
- schedule:
- - cron: "31 23 * * 5"
-
-jobs:
- analyze:
- name: Analyze
- runs-on: ubuntu-latest
- permissions:
- actions: read
- contents: read
- security-events: write
-
- strategy:
- fail-fast: false
- matrix:
- language: ["javascript"]
- # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
- # Use only 'java' to analyze code written in Java, Kotlin or both
- # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
- # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
- steps:
- - name: Checkout repository
- uses: actions/checkout@v3
-
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v2
- with:
- languages: ${{ matrix.language }}
- # If you wish to specify custom queries, you can do so here or in a config file.
- # By default, queries listed here will override any specified in a config file.
- # Prefix the list here with "+" to use these queries and those in the config file.
-
- # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
- # queries: security-extended,security-and-quality
-
- # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
- # If this step fails, then you should remove it and run the build manually (see below)
- - name: Autobuild
- uses: github/codeql-action/autobuild@v2
-
- # âšī¸ Command-line programs to run using the OS shell.
- # đ See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
- # If the Autobuild fails above, remove it and uncomment the following three lines.
- # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
- # - run: |
- # echo "Run, Build Application using script"
- # ./location_of_script_within_repo/buildscript.sh
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v2
- with:
- category: "/language:${{matrix.language}}"
-
- - uses: actions/upload-artifact@v3
- with:
- name: my-artifact
- path: results/javascript.sarif
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
deleted file mode 100644
index 0b088bd8d8..0000000000
--- a/.github/workflows/dependency-review.yml
+++ /dev/null
@@ -1,22 +0,0 @@
-# Dependency Review Action
-#
-# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
-#
-# Source repository: https://github.com/actions/dependency-review-action
-# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
-name: "Dependency Review"
-on: [pull_request]
-
-permissions:
- contents: read
-
-jobs:
- dependency-review:
- runs-on: ubuntu-latest
- steps:
- - name: "Checkout Repository"
- uses: actions/checkout@v3
- - name: "Dependency Review"
- uses: actions/dependency-review-action@v2
- with:
- fail-on-severity: moderate # Ignore low findings.
diff --git a/.github/workflows/dependency-update.yml b/.github/workflows/dependency-update.yml
deleted file mode 100644
index f6e6f36713..0000000000
--- a/.github/workflows/dependency-update.yml
+++ /dev/null
@@ -1,68 +0,0 @@
-name: Dependency Update
-
-on:
- workflow_dispatch:
-
-concurrency:
- group: ${{ github.workflow }}
-
-jobs:
- upgrade-dependencies:
- runs-on: ubuntu-20.04
- env:
- deps_branch_name: dep-update
- steps:
- - name: Checkout
- uses: actions/checkout@v3
- with:
- ssh-key: ${{ secrets.DEPLOY_KEY }}
- fetch-depth: 0
-
- # We deliberately do not use the setup action, as we do not want node caching here.
- - name: Configure direnv
- uses: HatsuneMiku3939/direnv-action@v1
-
- - name: Install Node
- uses: actions/setup-node@v3
- with:
- node-version-file: .nvmrc
-
- - name: Upgrade all node dependencies
- id: upgrade
- run: |
- lockfiles=(`find . -name "yarn.lock" ! -path '*/node_modules/*'`)
- for i in "${lockfiles[@]}"
- do
- yarn --cwd "${i%/*}" upgrade
- done
- if [ "$(git status --porcelain)" ]; then
- echo "::set-output name=changes::true"
- fi
- - name: Commit code to deps branch
- if: ${{ steps.upgrade.outputs.changes }}
- run: |
- git config user.name github-actions
- git config user.email github-actions@github.com
- git branch -D $deps_branch_name || true
- git checkout -b $deps_branch_name
- git commit -a -m "chore(deps): Upgrade all node dependencies"
- git push --set-upstream origin $deps_branch_name --force
- - name: Slack Notification - notify of failure
- uses: rtCamp/action-slack-notify@v2
- if: env.SLACK_WEBHOOK != '' && failure()
- env:
- SLACK_COLOR: ${{job.status}}
- SLACK_ICON: https://github.com/${{ github.repository_owner }}.png?size=48
- SLACK_TITLE: Failure
- SLACK_USERNAME: ${{ github.repository }} ${{job.status}}
- SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
- - name: Slack Notification - notify of success
- uses: rtCamp/action-slack-notify@v2
- if: env.SLACK_WEBHOOK != ''
- env:
- SLACK_COLOR: ${{job.status}}
- SLACK_ICON: https://github.com/${{ github.repository_owner }}.png?size=48
- SLACK_TITLE: Update Dependencies Workflow - SUCCESS
- SLACK_MESSAGE: Click https://github.com/${{ github.repository }}/compare/master...${{ env.deps_branch_name }}?quick_pull=1&labels=deps&title=chore(deps):+Update+Dependencies&body=Update+all+dependencies. to create a PR for the updates to go to master.
- SLACK_USERNAME: ${{ github.repository }} ${{job.status}}
- SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 243a97b2e0..934587c0bd 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -7,10 +7,10 @@ on:
- "!skipci*"
concurrency:
- group: ${{ github.ref_name }}-group
+ group: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}-group
env:
- STAGE_NAME: ${{ github.ref_name }}
+ STAGE_NAME: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
permissions:
id-token: write
@@ -32,7 +32,7 @@ jobs:
needs:
- init
environment:
- name: ${{ github.ref_name }}
+ name: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
steps:
- name: Checkout
uses: actions/checkout@v3
@@ -46,7 +46,7 @@ jobs:
needs:
- cache
environment:
- name: ${{ github.ref_name }}
+ name: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
url: ${{ steps.deployment-data.outputs.APPURL }}
outputs:
app-url: ${{ steps.deployment-data.outputs.APPURL }}
@@ -70,7 +70,7 @@ jobs:
- name: Set Site URL
id: deployment-data
run: |
- echo ${{ github.ref_name }}
+ echo ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
echo "APPURL=$(
aws cloudformation \
--region us-east-1 describe-stacks \
@@ -92,7 +92,7 @@ jobs:
needs:
- deploy
environment:
- name: ${{ github.ref_name }}-kibana
+ name: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}-kibana
url: ${{ needs.deploy.outputs.kibana-url }}
steps:
- name: Display Kibana URL
@@ -104,7 +104,7 @@ jobs:
needs:
- cache
environment:
- name: ${{ github.ref_name }}
+ name: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
steps:
- name: Checkout
uses: actions/checkout@v3
@@ -154,7 +154,7 @@ jobs:
needs:
- deploy
environment:
- name: ${{ github.ref_name }}
+ name: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
steps:
- name: Checkout
uses: actions/checkout@v3
@@ -186,7 +186,7 @@ jobs:
needs:
- deploy
environment:
- name: ${{ github.ref_name }}
+ name: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
steps:
- name: Checkout
uses: actions/checkout@v3
@@ -215,7 +215,7 @@ jobs:
- name: Archive stage resources
uses: actions/upload-artifact@v3
with:
- name: aws-resources-${{ github.ref_name }}
+ name: aws-resources-${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}
path: resources/aws-resources.json
release:
diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml
index ed62b9b9c0..f746d5efb8 100644
--- a/.github/workflows/destroy.yml
+++ b/.github/workflows/destroy.yml
@@ -22,9 +22,9 @@ jobs:
)
runs-on: ubuntu-20.04
environment:
- name: ${{ inputs.environment || github.event.ref }}
+ name: ${{ inputs.environment || (startsWith(github.event.ref, 'snyk-') && 'snyk' || github.event.ref) }}
env:
- STAGE_NAME: ${{ inputs.environment || github.event.ref }}
+ STAGE_NAME: ${{ inputs.environment || (startsWith(github.event.ref, 'snyk-') && 'snyk' || github.event.ref) }}
permissions:
id-token: write
contents: read
@@ -61,5 +61,5 @@ jobs:
- uses: strumwolf/delete-deployment-environment@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
- environment: ${{ inputs.environment || github.event.ref }}
+ environment: ${{ inputs.environment || (startsWith(github.event.ref, 'snyk-') && 'snyk' || github.event.ref) }}
onlyRemoveDeployments: true
diff --git a/.github/workflows/workspace-setup.yml b/.github/workflows/workspace-setup.yml
index 6e99b11eee..b55c5d5046 100644
--- a/.github/workflows/workspace-setup.yml
+++ b/.github/workflows/workspace-setup.yml
@@ -6,7 +6,7 @@ on:
- cron: "0 10 * * SUN"
concurrency:
- group: ${{ github.ref_name }}-test-ws-setup
+ group: ${{ startsWith(github.ref_name, 'snyk-') && 'snyk' || github.ref_name }}-test-ws-setup
jobs:
test:
@@ -88,4 +88,4 @@ jobs:
SLACK_ICON: https://github.com/Enterprise-CMCS.png?size=48
SLACK_TITLE: Failure
SLACK_USERNAME: ${{ github.repository }} - ${{job.status}}
- SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
\ No newline at end of file
+ SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
diff --git a/README.md b/README.md
index 9deb4311ae..dd1e2c0d64 100644
--- a/README.md
+++ b/README.md
@@ -17,8 +17,8 @@
-
- 
+
+ 
