diff --git a/.binny.yaml b/.binny.yaml index 6907cfa7a..15e848809 100644 --- a/.binny.yaml +++ b/.binny.yaml @@ -1,8 +1,13 @@ +# only pull in version updates that were released more than a week ago (low-pass filter for quickly-retracted releases) +cooldown: 7d + tools: + ## internal tools ############################################################################ + # we want to use a pinned version of binny to manage the toolchain (so binny manages itself!) - name: binny version: - want: v0.12.0 + want: v0.13.0 method: github-release with: repo: anchore/binny @@ -10,7 +15,7 @@ tools: # used to produce SBOMs during release - name: syft version: - want: latest + want: v1.42.3 method: github-release with: repo: anchore/syft @@ -23,6 +28,16 @@ tools: with: repo: anchore/quill + # used at release to generate the changelog + - name: chronicle + version: + want: v0.8.0 + method: github-release + with: + repo: anchore/chronicle + + ## external tools ############################################################################ + # used for linting - name: golangci-lint version: @@ -58,7 +73,7 @@ tools: # used to release all artifacts - name: goreleaser version: - want: v2.15.1 + want: v2.15.2 method: github-release with: repo: goreleaser/goreleaser @@ -71,14 +86,6 @@ tools: with: repo: rinchsan/gosimports - # used at release to generate the changelog - - name: chronicle - version: - want: v0.8.0 - method: github-release - with: - repo: anchore/chronicle - # used during static analysis for license compliance - name: bouncer version: diff --git a/.github/dependabot.yml b/.github/dependabot.yml index db82b897b..fc3b7bd6d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -40,7 +40,7 @@ updates: - package-ecosystem: "github-actions" directories: - "/" - - "/.github/actions/bootstrap" + - "/.github/actions/*" cooldown: default-days: 7 schedule: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 270cf2982..000000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,76 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL Security Scan" - -on: - push: - branches: - # only run when there are pushes to the main branch (not on PRs) - - main - - schedule: - - cron: '0 0 * * 3' - -permissions: - contents: read - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-22.04-4core-16gb - if: github.repository == 'anchore/syft' # only run for main repo - permissions: - security-events: write - - strategy: - fail-fast: false - matrix: - # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: ['go', 'python'] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - with: - persist-credentials: false - - - name: Install Go - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 #v6.3.0 - with: - go-version-file: go.mod - check-latest: true - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 000000000..cb9ebe697 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,81 @@ +# CodeQL scans for security vulnerabilities and coding errors across all +# languages in this repo. Results appear in the "Security" tab under +# "Code scanning alerts" and are enforced by branch protection rules. +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + # Weekly scheduled scan catches newly disclosed vulnerabilities in + # existing code, not just changes introduced by PRs. + schedule: + - cron: '38 11 * * 3' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ubuntu-latest + permissions: + # Required to upload SARIF results to the "Security" tab. + security-events: write + # Required to fetch internal or private CodeQL packs. + packages: read + # Only required for workflows in private repositories. + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + # GitHub Actions workflow linting — no build needed. + - language: actions + build-mode: none + + # Go uses "manual" build mode so we control exactly what gets + # compiled. The default "autobuild" finds the Makefile and runs + # the full CI pipeline (lint, test, snapshot release, etc.), + # which is far more work than CodeQL needs. All it requires is + # compiled Go source so it can build a type-resolved code graph + # for analysis. + - language: go + build-mode: manual + + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + with: + persist-credentials: false + + # Pin the Go toolchain to whatever go.mod declares so CodeQL + # analyzes with the same version the project actually uses. + # Only runs for the Go matrix entry. + - name: Setup Go + if: matrix.language == 'go' + uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 + with: + go-version-file: go.mod + + - name: Initialize CodeQL + uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + # Minimal build for Go: compile all packages so CodeQL gets a full + # type-resolved code graph for analysis. + - name: Build (Go) + if: matrix.build-mode == 'manual' + shell: bash + run: go build ./... + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + with: + # The category tag lets GitHub associate SARIF results with the + # correct language when branch protection checks for required + # code scanning results. + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/detect-schema-changes.yaml b/.github/workflows/detect-schema-changes.yaml index c86b2aeb8..2a7a99974 100644 --- a/.github/workflows/detect-schema-changes.yaml +++ b/.github/workflows/detect-schema-changes.yaml @@ -1,3 +1,5 @@ +# Note: this workflow has been disabled manually in the UI and will be replaced in short order + name: "Detect schema changes" on: diff --git a/.github/workflows/test-fixture-cache-publish.yaml b/.github/workflows/test-fixture-cache-publish.yaml deleted file mode 100644 index a5618b5d0..000000000 --- a/.github/workflows/test-fixture-cache-publish.yaml +++ /dev/null @@ -1,48 +0,0 @@ -name: "Test fixture cache: publish" - -on: - workflow_dispatch: - schedule: - # run nightly at 4AM UTC - - cron: "0 4 * * *" - -permissions: - contents: read - -jobs: - - Publish: - name: "Publish test fixture image cache" - # runs-on.com: general purpose instances for building test fixture cache - # spot disabled: can run up to an hour, avoid interruptions - # s3-cache: faster actions cache - # family: note that m*d instances have local nvme storage which is beneficial for building large test fixture images - runs-on: "runs-on=${{ github.run_id }}/cpu=8+16/ram=32+64/family=m5d+m5ad+m5dn+m6gd+m6id+m6idn+m7gd+m8gd/spot=false/extras=s3-cache" - if: github.repository == 'anchore/syft' # only run for main repo - permissions: - packages: write - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - with: - persist-credentials: false - - - name: Bootstrap environment - uses: ./.github/actions/bootstrap - with: - # we want to rebuild the cache with no previous state - download-test-fixture-cache: false - - - name: Run all tests - run: | - make test - env: - # we want to rebuild the cache with no previous state - DOWNLOAD_TEST_FIXTURE_CACHE: "false" - - - name: Login to GitHub Container Registry (ORAS) - run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin - env: - ACTOR: ${{ github.actor }} - - - name: Publish test fixture cache - run: make upload-test-fixture-cache diff --git a/.github/workflows/update-cpe-dictionary-index.yml b/.github/workflows/update-cpe-dictionary-index.yml deleted file mode 100644 index ba4e63277..000000000 --- a/.github/workflows/update-cpe-dictionary-index.yml +++ /dev/null @@ -1,84 +0,0 @@ -name: PR to update CPE dictionary index -on: - schedule: - - cron: "0 1 * * 1" # every monday at 1 AM - - workflow_dispatch: - -permissions: - contents: read - -env: - SLACK_NOTIFICATIONS: true - -jobs: - upgrade-cpe-dictionary-index: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - if: github.repository == 'anchore/syft' # only run for main repo - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - with: - persist-credentials: false - - - name: Bootstrap environment - uses: ./.github/actions/bootstrap - id: bootstrap - - - name: Login to GitHub Container Registry - run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin - env: - ACTOR: ${{ github.actor }} - - - name: Pull CPE cache from registry - run: make generate:cpe-index:cache:pull - - - name: Update CPE cache from NVD API - run: make generate:cpe-index:cache:update - env: - NVD_API_KEY: ${{ secrets.NVD_API_KEY }} - - - name: Generate CPE dictionary index - run: make generate:cpe-index:build - - - name: Push updated CPE cache to registry - run: make generate:cpe-index:cache:push - - - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 #v3.0.0 - id: generate-token - with: - app-id: ${{ secrets.TOKEN_APP_ID }} - private-key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} - - - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0 - with: - signoff: true - delete-branch: true - branch: auto/latest-cpe-dictionary-index - labels: dependencies - commit-message: "chore(deps): update CPE dictionary index" - title: "chore(deps): update CPE dictionary index" - body: | - Update CPE dictionary index based on the latest available CPE dictionary - token: ${{ steps.generate-token.outputs.token }} - - - name: Notify Slack on failure - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1 - with: - webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} - webhook-type: incoming-webhook - payload: | - text: "Syft CPE dictionary index update failed" - blocks: - - type: section - text: - type: mrkdwn - text: | - *Syft CPE dictionary index update failed* - • Workflow: `${{ github.workflow }}` - • Event: `${{ github.event_name }}` - • Job Status: `${{ job.status }}` - • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run> - if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }} diff --git a/.github/workflows/update-spdx-license-list.yaml b/.github/workflows/update-spdx-license-list.yaml deleted file mode 100644 index 61961e26e..000000000 --- a/.github/workflows/update-spdx-license-list.yaml +++ /dev/null @@ -1,64 +0,0 @@ -name: PR to update SPDX license list -on: - schedule: - - cron: "0 6 * * 1" # every monday at 6 AM UTC - - workflow_dispatch: - -permissions: - contents: read - -env: - SLACK_NOTIFICATIONS: true - -jobs: - upgrade-spdx-license-list: - runs-on: ubuntu-latest - if: github.repository == 'anchore/syft' # only run for main repo - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 - with: - persist-credentials: false - - - name: Bootstrap environment - uses: ./.github/actions/bootstrap - - - run: | - make generate-license-list - - - uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a #v2.1.0 - id: generate-token - with: - app_id: ${{ secrets.TOKEN_APP_ID }} - private_key: ${{ secrets.TOKEN_APP_PRIVATE_KEY }} - - - uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 #v8.1.0 - with: - signoff: true - delete-branch: true - branch: auto/latest-spdx-license-list - labels: dependencies - commit-message: "chore(deps): update SPDX license list" - title: "chore(deps): update SPDX license list" - body: | - Update SPDX license list based on the latest available list from spdx.org - token: ${{ steps.generate-token.outputs.token }} - - - name: Notify Slack on failure - uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 #v3.0.1 - with: - webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} - webhook-type: incoming-webhook - payload: | - text: "Syft SPDX license list update failed" - blocks: - - type: section - text: - type: mrkdwn - text: | - *Syft SPDX license list update failed* - • Workflow: `${{ github.workflow }}` - • Event: `${{ github.event_name }}` - • Job Status: `${{ job.status }}` - • <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View Run> - if: ${{ failure() && env.SLACK_NOTIFICATIONS == 'true' }} diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml index a889d2290..78215b796 100644 --- a/.github/workflows/validate-github-actions.yaml +++ b/.github/workflows/validate-github-actions.yaml @@ -28,9 +28,8 @@ jobs: persist-credentials: false - name: "Run zizmor" - uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 with: - config: .github/zizmor.yml - # Disable SARIF upload so the step is a simple pass/fail gate - advanced-security: false + # there is a pass/fail gate as a repo ruleset (if there is no ruleset configured then the action will pass by default) + advanced-security: true inputs: .github