diff --git a/.github/label-syncer/label-syncer.yml b/.github/label-syncer/label-syncer.yml index e69d8ce..3ebeb51 100644 --- a/.github/label-syncer/label-syncer.yml +++ b/.github/label-syncer/label-syncer.yml @@ -1,36 +1,51 @@ -- name: breaking change +- name: status - needs triage + description: New issues/PRs that need review + color: 27ae60 # green +- name: status - in progress + description: Actively being worked on + color: 2ecc40 # green +- name: status - blocked + description: Blocked by something else + color: 16a085 # green +- name: status - ready for review + description: Ready for code review + color: 1abc9c # green +- name: type - enhancement + description: Improvements to existing features + color: 2986cc # blue +- name: type - refactor + description: Code refactoring, no user-facing change + color: 1d76db # blue +- name: type - test + description: Related to tests or test coverage + color: 0052cc # blue +- name: type - ci + description: Continuous integration/config changes + color: 0074d9 # blue +- name: type - chore + description: Maintenance, build, or non-feature work + color: 3399ff # blue +- name: type - breaking change description: Changes that will break something in the next release - color: d876e3 -- name: bug + color: ff69b4 # pink +- name: type - bug description: Something isn't working as expected - color: f67828 -- name: critical - description: Problems that are critical to fix immediately (e.g. data loss) - color: d80000 -- name: dependencies - description: Pull requests that update a dependency - color: 861a22 -- name: documentation + color: d80000 # red +- name: type - documentation description: Improvements or additions to documentation - color: 0075ca -- name: duplicate - description: This issue or pull request already exists elsewhere - color: D9D9D6 -- name: feature - description: New feature or request for a feature - color: f1dd38 -- name: help wanted - description: Extra attention is needed - color: 366735 -- name: idea - description: An idea that should be considered for future releases - color: 6aed9c -- name: invalid - description: This doesn't seem right - color: 000000 -- name: question - description: Further information is requested or clarification is needed - color: 9d622b + color: 5dade2 # blue +- name: priority - low + description: Lowest priority + color: ffc300 # orange +- name: priority - medium + description: Medium priority + color: ff9900 # orange +- name: priority - high + description: Highest priority + color: ff5733 # orange +- name: good first issue + description: Good for newcomers + color: a259ff # purple - name: wontfix description: This will not be worked on color: ffffff diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..bee6ab2 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,81 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: 'CodeQL Advanced' + +on: + push: + branches: ['main'] + pull_request: + branches: ['main'] + schedule: + - cron: '0 6 * * *' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: true + matrix: + include: + - language: actions + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e + with: + category: '/language:${{matrix.language}}' diff --git a/.github/workflows/container-build.yml b/.github/workflows/container-build.yml index 123bcd3..7aabc8f 100644 --- a/.github/workflows/container-build.yml +++ b/.github/workflows/container-build.yml @@ -24,27 +24,29 @@ jobs: echo "RELEASE_DATE=$(date -u '+%Y-%m-%dT%H:%M:%S%z')" >> ${GITHUB_ENV} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + token: ${{ secrets.GITHUB_TOKEN }} # https://github.com/docker/setup-qemu-action - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # https://github.com/docker/setup-buildx-action - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # https://github.com/docker/login-action - name: Login to GHCR if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub if: github.event_name != 'pull_request' - uses: docker/login-action@v3 + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -52,7 +54,7 @@ jobs: # https://github.com/docker/metadata-action - name: Set container meta id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 with: images: | ${{ env.IMAGE_NAME }} @@ -63,15 +65,19 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} type=sha + type=raw,value=latest # https://github.com/docker/build-push-action - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 with: context: . - platforms: linux/386, linux/amd64, linux/arm/v6, linux/arm/v7, linux/arm64/v8, linux/ppc64le, linux/s390x + platforms: linux/amd64,linux/arm64 build-args: BUILD_DATE=${{ env.RELEASE_DATE }} push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + provenance: true diff --git a/.github/workflows/label-syncer.yml b/.github/workflows/label-syncer.yml index 75cc7b9..0cd6101 100644 --- a/.github/workflows/label-syncer.yml +++ b/.github/workflows/label-syncer.yml @@ -11,13 +11,20 @@ jobs: build: name: Sync repository labels from file runs-on: ubuntu-latest + permissions: + contents: read + issues: write + pull-requests: write steps: - name: Checkout Code id: checkout-code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Sync repository labels from file id: labeling - uses: micnncim/action-label-syncer@v1 + uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0 commit SHA if: success() env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 855bee7..6849bd1 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -12,7 +12,7 @@ on: # The branches below must be a subset of the branches above branches: ['main'] schedule: - - cron: '32 5 * * 2' + - cron: '0 5 * * *' env: IMAGE_NAME: 'aessing/bind' @@ -30,21 +30,45 @@ jobs: runs-on: 'ubuntu-latest' steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + with: + token: ${{ secrets.GITHUB_TOKEN }} - name: Build an image from Dockerfile run: | docker build -t docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }} . - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 + - name: Run Trivy vulnerability scanner (image) + uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 with: image-ref: 'docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }}' format: 'sarif' - output: 'trivy-results.sarif' + output: 'trivy-image-results.sarif' + severity: 'CRITICAL,HIGH' + exit-code: '1' + + - name: Run Trivy vulnerability scanner (requirements.txt) + uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-py-results.sarif' severity: 'CRITICAL,HIGH' + exit-code: '1' - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + - name: Upload Trivy image scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-image-results.sarif' + category: 'trivy-image' + + - name: Upload Trivy Python scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e + with: + sarif_file: 'trivy-py-results.sarif' + category: 'trivy-python' + + - name: Docker cleanup + run: | + docker rmi docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }} || true diff --git a/LICENSE b/LICENSE index cfda2b6..a4ddc8c 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2023 Andre Essing +Copyright (c) 2025 Andre Essing Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal