Skip to content

docs: update changelog for upcoming 0.7.4 release #287

docs: update changelog for upcoming 0.7.4 release

docs: update changelog for upcoming 0.7.4 release #287

Workflow file for this run

name: SAST
on:
push:
branches:
- 'main'
pull_request:
schedule:
- cron: '32 3 * * 1'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
codeql:
name: Analyze (CodeQL)
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
security-events: write # Required to upload CodeQL SARIF results to GitHub code scanning.
actions: read # Required so CodeQL actions can access workflow/action metadata.
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
release-assets.githubusercontent.com:443
repo.maven.apache.org:443
uploads.github.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: java-kotlin,actions
queries: security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
opengrep:
name: Analyze (Opengrep)
runs-on: ubuntu-latest
timeout-minutes: 45
permissions:
security-events: write # Required to upload SARIF results to GitHub code scanning.
actions: read # Required so the upload-sarif action can access workflow metadata.
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
raw.githubusercontent.com:443
github.com:443
rekor.sigstore.dev:443
release-assets.githubusercontent.com:443
semgrep.dev:443
tuf-repo-cdn.sigstore.dev:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Load pinned tool versions
id: versions
run: |
opengrep="$(jq -r '.opengrep' tools/github-workflow-tools/versions.json)"
echo "opengrep=${opengrep}" >> "$GITHUB_OUTPUT"
- name: Install Cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: Download Opengrep
env:
OPENGREP_VERSION: ${{ steps.versions.outputs.opengrep }}
run: |
base="https://github.com/opengrep/opengrep/releases/download/${OPENGREP_VERSION}/opengrep_manylinux_x86"
curl -fsSL "${base}" -o opengrep
curl -fsSL "${base}.cert" -o opengrep.cert
curl -fsSL "${base}.sig" -o opengrep.sig
chmod +x opengrep
- name: Verify Opengrep signature
run: |
cosign verify-blob opengrep \
--certificate opengrep.cert \
--signature opengrep.sig \
--certificate-identity-regexp='https://github.com/opengrep/opengrep/' \
--certificate-oidc-issuer='https://token.actions.githubusercontent.com'
- name: Run Opengrep scan
run: |
./opengrep scan \
--config p/java \
--config p/owasp-top-ten \
--sarif-output opengrep.sarif \
.
- name: Upload results to GitHub Code Scanning
if: always()
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: opengrep.sarif
category: opengrep