diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd75857..a62e31c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,8 +11,8 @@ jobs: name: Pre-merge Checks runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20 diff --git a/.github/workflows/coana-analysis.yml b/.github/workflows/coana-analysis.yml deleted file mode 100644 index 90bfa06..0000000 --- a/.github/workflows/coana-analysis.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Coana Vulnerability Analysis - -on: - schedule: - - cron: "0 3 * * *" # every day at 3 AM - workflow_dispatch: - inputs: - tags: - description: "Manually run vulnerability analysis" - # Required by the return-dispatch action - distinct_id: - -jobs: - coana-vulnerability-analysis: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Coana CLI - id: coana-cli - uses: docker://coana/coana:latest - with: - args: | - coana run . \ - --api-key ${{ secrets.COANA_API_KEY }} \ - --repo-url https://github.com/${{github.repository}} diff --git a/.github/workflows/coana-guardrail.yml b/.github/workflows/coana-guardrail.yml deleted file mode 100644 index 6928ce0..0000000 --- a/.github/workflows/coana-guardrail.yml +++ /dev/null @@ -1,67 +0,0 @@ -name: Coana Guardrail - -on: pull_request - -jobs: - guardrail: - runs-on: ubuntu-latest - - steps: - - name: Checkout the ${{github.base_ref}} branch - uses: actions/checkout@v4 - with: - ref: ${{github.base_ref}} # checkout the base branch (usually master/main). - - - name: Fetch the PR branch - run: | - git fetch ${{ github.event.pull_request.head.repo.clone_url }} ${{ github.head_ref }}:${{ github.head_ref }} --depth=1 - - - name: Get list of changed files relative to the main/master branch - id: changed-files - run: | - echo "all_changed_files=$(git diff --name-only ${{ github.base_ref }} ${{ github.head_ref }} | tr '\n' ' ')" >> $GITHUB_OUTPUT - - - name: Use Node.js 20.x - uses: actions/setup-node@v4 - with: - node-version: 20.x - - - name: Run Coana on the ${{github.base_ref}} branch - run: | - npx @coana-tech/cli run . \ - --guardrail-mode \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - -o /tmp/main-branch \ - --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \ - --lightweight-reachability \ - - # Reset file permissions. - # This is necessary because the Coana CLI may add - # new files with root ownership since it's using docker. - # These files will not be deleted by the clean step in checkout - # if the permissions are not reset. - - name: Reset file permissions - run: sudo chown -R $USER:$USER . - - - name: Checkout the current branch - uses: actions/checkout@v4 - with: - clean: true - - - name: Run Coana on the current branch - run: | - npx @coana-tech/cli run . \ - --guardrail-mode \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - -o /tmp/current-branch \ - --changed-files ${{ steps.changed-files.outputs.all_changed_files }} \ - --lightweight-reachability \ - - - name: Run Report Comparison - run: | - npx @coana-tech/cli compare-reports \ - --api-key ${{ secrets.COANA_API_KEY || 'api-key-unavailable' }} \ - /tmp/main-branch/coana-report.json \ - /tmp/current-branch/coana-report.json - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml new file mode 100644 index 0000000..44bdad6 --- /dev/null +++ b/.github/workflows/lint-pr-title.yml @@ -0,0 +1,16 @@ +name: Lint PR Title + +on: + pull_request_target: + types: [opened, edited, synchronize] + +permissions: + pull-requests: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml new file mode 100644 index 0000000..70b5bbb --- /dev/null +++ b/.github/workflows/release-please.yml @@ -0,0 +1,36 @@ +name: Release Please + +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + id-token: write + +jobs: + release-please: + runs-on: ubuntu-latest + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} + steps: + - name: Generate token + id: generate-token + uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2 + with: + app-id: ${{ vars.SDK_BOT_APP_ID }} + private-key: ${{ secrets.SDK_BOT_PRIVATE_KEY }} + + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 + id: release + with: + token: ${{ steps.generate-token.outputs.token }} + + publish: + needs: release-please + if: ${{ needs.release-please.outputs.release_created == 'true' }} + uses: ./.github/workflows/release.yml + secrets: inherit diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7ba329..01b3549 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,11 +1,8 @@ name: Release on: - # Support manually pushing a new release - workflow_dispatch: {} - # Trigger when a release is published - release: - types: [published] + workflow_dispatch: + workflow_call: defaults: run: @@ -19,26 +16,17 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 registry-url: "https://registry.npmjs.org" - name: Install Dependencies - run: | - npm install + run: npm install - name: Build project - run: | - npm run build + run: npm run build - - name: Push Release - if: ${{ !github.event.release.prerelease }} - run: | - npm publish --tag latest --access=public --provenance - - - name: Push Pre-Release - if: ${{ github.event.release.prerelease }} - run: | - npm publish --tag next --access=public --provenance + - name: Publish + run: npm publish --tag latest --access=public --provenance --no-git-checks diff --git a/.github/workflows/socket-tier1-analysis.yml b/.github/workflows/socket-tier1-analysis.yml new file mode 100644 index 0000000..a983ef8 --- /dev/null +++ b/.github/workflows/socket-tier1-analysis.yml @@ -0,0 +1,40 @@ +name: Socket Tier 1 Reachability Analysis + +on: + schedule: + # every day at 12 AM + - cron: "0 0 * * *" + workflow_dispatch: + inputs: + tags: + description: "Manually run vulnerability analysis" + distinct_id: + description: "Required by the return-dispatch action" + required: true + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true + +jobs: + socket-vulnerability-analysis: + runs-on: ubuntu-latest + timeout-minutes: 60 + + steps: + - name: Check distinct_id + run: | + echo "distinct_id: ${{ github.event.inputs.distinct_id }}" + - name: Checkout code + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - name: Install Socket CLI + run: npm install -g socket + - name: Run Tier 1 reachability scan + env: + SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_API_KEY }} + run: | + # Full application reachability (Tier 1) + socket scan create . \ + --reach \ + --org "workos" \ + --no-interactive diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 0000000..bc7e4aa --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "0.16.0" +} diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 0000000..9941797 --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "include-component-in-tag": false, + "packages": { + ".": { + "release-type": "node", + "changelog-path": "CHANGELOG.md", + "versioning": "default", + "bump-minor-pre-major": true, + "bump-patch-for-minor-pre-major": true + } + } +} diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..a1edcd4 --- /dev/null +++ b/renovate.json @@ -0,0 +1,26 @@ +{ + "extends": ["config:recommended"], + "schedule": ["on the 15th day of the month before 12pm"], + "timezone": "UTC", + "rebaseWhen": "conflicted", + "packageRules": [ + { + "matchManagers": ["github-actions"], + "extractVersion": "^v(?\\d+\\.\\d+\\.\\d+)$", + "groupName": "github-actions" + }, + { + "matchUpdateTypes": ["minor", "patch"], + "automerge": true, + "groupName": "minor and patch updates" + }, + { + "matchUpdateTypes": ["major"], + "automerge": false + }, + { + "matchUpdateTypes": ["digest"], + "automerge": false + } + ] +}