From ed26d4a4a75cdd076c6547e81a0bd0fc1caba4da Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Thu, 15 May 2025 14:39:26 -0600 Subject: [PATCH 1/2] Update security workflows Problem: The security workflows are being moved to a centralized place. Solution: Update the workflows to use this new repo. --- .github/workflows/codeql-analysis.yml | 38 +++------------------------ .github/workflows/mend.yml | 34 +++++++++++------------- 2 files changed, 20 insertions(+), 52 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index ceb6d1f3ba..886fa0b3fd 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -20,37 +20,7 @@ permissions: contents: read jobs: - analyze: - permissions: - packages: read - actions: read # for github/codeql-action/init to get workflow details - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/autobuild to send a status report - name: Analyze (${{ matrix.language }}) - runs-on: ubuntu-24.04 - - strategy: - fail-fast: false - matrix: - include: - - language: go - build-mode: autobuild - - language: javascript-typescript - build-mode: none - - steps: - - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - queries: security-and-quality - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17 - with: - category: "/language:${{matrix.language}}" + codeql: + uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@v0.1 + with: + requested_languages: go,javascript-typescript diff --git a/.github/workflows/mend.yml b/.github/workflows/mend.yml index 9add0c4e87..13c7055881 100644 --- a/.github/workflows/mend.yml +++ b/.github/workflows/mend.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - release-* tags: - "v[0-9]+.[0-9]+.[0-9]+*" paths-ignore: @@ -11,6 +12,15 @@ on: - deploy** - docs/** - examples/** + pull_request: + branches: + - main + - release-* + paths-ignore: + - design/** + - deploy** + - docs/** + - examples/** concurrency: group: ${{ github.ref_name }}-mend @@ -20,22 +30,10 @@ permissions: contents: read jobs: - scan: - name: Mend - runs-on: ubuntu-24.04 + mend: if: ${{ github.event.repository.fork == false }} - steps: - - name: Checkout Repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - - name: Download agent - run: curl -LJO https://github.com/whitesource/unified-agent-distribution/releases/latest/download/wss-unified-agent.jar - - - name: Verify JAR - run: jarsigner -verify wss-unified-agent.jar - - - name: Scan and upload - env: - PRODUCT_NAME: nginx-gateway-fabric_${{ github.ref_name }} - PROJECT_NAME: nginx-gateway-fabric - run: java -jar wss-unified-agent.jar -noConfig true -wss.url ${{ secrets.WSS_URL }} -apiKey ${{ secrets.WSS_NGINX_TOKEN }} -product $PRODUCT_NAME -project $PROJECT_NAME -d . + uses: nginxinc/compliance-rules/.github/workflows/mend.yml@v0.1 + secrets: inherit + with: + product_name: nginx-gateway-fabric_${{ github.ref_name }} + project_name: nginx-gateway-fabric From 6f20b998a55dcf3335a783614daf7e5c1a2d130b Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Thu, 15 May 2025 14:50:01 -0600 Subject: [PATCH 2/2] Fix permissions --- .github/workflows/codeql-analysis.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 886fa0b3fd..f78bf56c40 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -21,6 +21,11 @@ permissions: jobs: codeql: + permissions: + packages: read + actions: read # for github/codeql-action/init to get workflow details + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/autobuild to send a status report uses: nginxinc/compliance-rules/.github/workflows/codeql.yml@v0.1 with: requested_languages: go,javascript-typescript