From 5af5bac1663cd8779fe257b73d40ce16c2fdfdd5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 26 Jun 2024 03:29:11 +0000 Subject: [PATCH] add Renovate and custom workflow files --- .github/workflows/sync-fork.yml | 85 +++++++++++++++++++ .../trivy-dependencies-submission.yml | 36 ++++++++ .gitignore | 37 -------- renovate.json5 | 12 +++ 4 files changed, 133 insertions(+), 37 deletions(-) create mode 100644 .github/workflows/sync-fork.yml create mode 100644 .github/workflows/trivy-dependencies-submission.yml delete mode 100644 .gitignore create mode 100644 renovate.json5 diff --git a/.github/workflows/sync-fork.yml b/.github/workflows/sync-fork.yml new file mode 100644 index 0000000..b45f997 --- /dev/null +++ b/.github/workflows/sync-fork.yml @@ -0,0 +1,85 @@ +name: Sync fork + +on: + workflow_dispatch: {} + schedule: + - cron: "15 3 * * *" # Run every day at 3:15 UTC + +jobs: + sync: + runs-on: ubuntu-latest + steps: + - name: Checkout fork's default branch + uses: actions/checkout@v4 + with: + fetch-depth: 0 + path: "fork" + - name: Checkout fork's configuration branch + uses: actions/checkout@v4 + with: + path: "configuration" + ref: "renovate-and-workflow-files" + - name: Determine Upstream clone URL + id: upstream-repo-clone-url + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.clone_url; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Determine Upstream default branch + id: upstream-repo-default-branch + uses: actions/github-script@v7 + with: + script: | + const { data } = await github.rest.repos.get({ + owner: context.repo.owner, + repo: context.repo.repo, + }); + if (data.fork) { + return data.parent.default_branch; + } else { + throw new Error('This repository is not a fork.'); + } + result-encoding: string + - name: Sync fork with upstream + run: | + set -ex + cd fork + git config --global user.name "github-actions[bot]" + git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" + git remote add upstream ${{ steps.upstream-repo-clone-url.outputs.result }} + git fetch upstream ${{ steps.upstream-repo-default-branch.outputs.result }} + UPSTREAM_MOST_RECENT_COMMIT_HASH=$(git log upstream/${{ steps.upstream-repo-default-branch.outputs.result }} -n 1 --format="%H") + PREVIOUS_SYNC_COMMIT_HASH=$(cat ../configuration/upstream_commit_hash) + if [ "$PREVIOUS_SYNC_COMMIT_HASH" = "$UPSTREAM_MOST_RECENT_COMMIT_HASH" ]; then + echo "No need to sync, already up-to-date" + exit 0 + fi + + git reset --hard upstream/${{ steps.upstream-repo-default-branch.outputs.result }} + # Enforce the usage of our own config (renovate.json5) + git rm renovate.json* || true + # Avoid problems where an existing .gitignore file would prevent committing our configuration files + git rm .gitignore || true + # Instead of using "cp -r", rsync allows us to exclude the .git directory + rsync -av --exclude '.git' ../configuration/ . + rm upstream_commit_hash + git add . + git commit -m "add Renovate and custom workflow files" + git push --force-with-lease + + cd ../configuration + # git config user.name "github-actions[bot]" + # git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + echo $UPSTREAM_MOST_RECENT_COMMIT_HASH > upstream_commit_hash + git add upstream_commit_hash + git commit -m "update commit hash to $UPSTREAM_MOST_RECENT_COMMIT_HASH" + git push diff --git a/.github/workflows/trivy-dependencies-submission.yml b/.github/workflows/trivy-dependencies-submission.yml new file mode 100644 index 0000000..9f09413 --- /dev/null +++ b/.github/workflows/trivy-dependencies-submission.yml @@ -0,0 +1,36 @@ +name: SBOM upload from Trivy + +on: + push: {} + workflow_dispatch: {} + +jobs: + SBOM-upload: + if: github.ref_name == github.event.repository.default_branch + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.23.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'github' + output: 'trivy-results.gsbom' + + - name: Upload report file + uses: actions/upload-artifact@v4 + with: + name: trivy-results + path: trivy-results.gsbom + + - name: Upload dependency graph + uses: actions/github-script@v7 + with: + script: | + const fs = require('fs'); + const fileContent = fs.readFileSync('trivy-results.gsbom', 'utf8'); + const jsonContent = JSON.parse(fileContent); + await github.request(`POST /repos/${context.repo.owner}/${context.repo.repo}/dependency-graph/snapshots`, jsonContent); + result-encoding: string diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 05236d8..0000000 --- a/.gitignore +++ /dev/null @@ -1,37 +0,0 @@ -# SPDX-FileCopyrightText: 2021 RTE FRANCE -# -# SPDX-License-Identifier: Apache-2.0 - -HELP.md -target/ -.scannerwork -sonar-project.properties -!.mvn/wrapper/maven-wrapper.jar -!**/src/main/** -!**/src/test/** - -### STS ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache - -### IntelliJ IDEA ### -.idea -*.iws -*.iml -*.ipr - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ -build/ - -### VS Code ### -.vscode/ diff --git a/renovate.json5 b/renovate.json5 new file mode 100644 index 0000000..53fe2ac --- /dev/null +++ b/renovate.json5 @@ -0,0 +1,12 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + ":disableRateLimiting" + ], + "labels": ["dependencies", "depManager:{{{manager}}}"], + "vulnerabilityAlerts": { + "labels": ["security", "dependencies", "depManager:{{{manager}}}"], + }, + "forkProcessing": "enabled" +}