From ac268724e1c60d3ad160ed5a1c7f7ff3f08c32de Mon Sep 17 00:00:00 2001 From: Evan Harmon Date: Sun, 2 Feb 2025 10:27:35 -0600 Subject: [PATCH] Updates from making new evanharmon.com website (#28) * Updates from making new evanharmon.com website * more updates * update workflows to new github version due to deprecation * disable package.json scanning for harmon-stack * updates --- .github/workflows/release.yml | 2 +- .github/workflows/security.yml | 68 +++++++++++++++++-- .github/workflows/validate.yml | 2 +- README.md | 1 + template/.editorconfig | 2 + .../build.yaml | 27 ++++++++ .../release.yml | 2 +- .../security.yml | 62 ++++++++++++++++- .../validate.yml | 15 +++- template/.gitignore | 1 + template/README.md.jinja | 5 ++ template/Taskfile.yml.jinja | 45 +++++++++--- template/test/whisperConfig.yml | 2 +- 13 files changed, 212 insertions(+), 22 deletions(-) create mode 100644 template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/build.yaml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 33f41c9..43423d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: contents: write steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Fetch all history for versioning diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0ec9fcb..aff577b 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,12 +1,12 @@ -name: Security +name: Security Test run-name: ${{ github.actor }} is running Security Actions on: [pull_request] jobs: - security: + secrets: runs-on: ubuntu-latest steps: - run: echo "Triggered by a ${{ github.event_name }} event." - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # E.g., to check for my `~/Local/.secret` file - name: Custom check for secret files run: ./check_for_pattern.sh . "*secret*" @@ -22,8 +22,68 @@ jobs: run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json # Upload Artifacts - name: Upload the scan output - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: scan_results path: /tmp/scan_output.json retention-days: 7 + sast-dependencies: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + # Node.js dependencies scan + # Disabled since harmon-stack doesn not build a package.json file + # - name: Setup Node.js + # uses: actions/setup-node@v4 + # with: + # node-version: "22" + # cache: "npm" + # - name: Install Node dependencies + # run: npm ci + # - name: Run Snyk for Node.js + # uses: snyk/actions/node@master + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # command: test + # args: > + # --severity-threshold=high + # --show-vulnerable-paths=all + # Python dependencies scan + - name: Setup Python + uses: actions/setup-python@v4 + with: + python-version: "3.9" + - name: Install Python dependencies + run: pip install -r requirements.txt + - name: Run Snyk for Python + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: > + --file=requirements.txt + --severity-threshold=high + --show-vulnerable-paths=all + # Disabled since harmon-stack doesn not build a package.json file + # sast-code: + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v4 + # - name: Setup Node.js + # uses: actions/setup-node@v4 + # with: + # node-version: "22" + # cache: "npm" + # - name: Install dependencies + # run: npm ci + # - name: Run Snyk to check for vulnerabilities + # uses: snyk/actions/node@master + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # with: + # command: code test + # args: > + # --severity-threshold=high + # --json-file-output=snyk-code-test.json diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index c31731c..eed3060 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - run: echo "Triggered by a ${{ github.event_name }} event." - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: actions/setup-python@v4 with: python-version: 3.9 diff --git a/README.md b/README.md index 4157da4..b5be1ac 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Author: Evan Harmon [![Validate](https://github.com/evanharmon1/harmon-stack/actions/workflows/validate.yml/badge.svg)](https://github.com/evanharmon1/harmon-stack/actions/workflows/validate.yml) [![Security](https://github.com/evanharmon1/harmon-stack/actions/workflows/security.yml/badge.svg)](https://github.com/evanharmon1/harmon-stack/actions/workflows/security.yml) +[![Copier](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-orange.json)](https://github.com/copier-org/copier) ## Usage Create a new project with: `copier copy harmon-stack new-project --trust` diff --git a/template/.editorconfig b/template/.editorconfig index 8335897..0ce5848 100644 --- a/template/.editorconfig +++ b/template/.editorconfig @@ -1,3 +1,5 @@ +# https://EditorConfig.org + # Root EditorConfig file root = true diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/build.yaml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/build.yaml new file mode 100644 index 0000000..268f6d5 --- /dev/null +++ b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/build.yaml @@ -0,0 +1,27 @@ +name: Build Test + +on: + pull_request: + branches: + - main + push: + branches: + - main + +jobs: + build: + runs-on: ubuntu-latest + strategy: + matrix: + node-version: + - 22 + steps: + - uses: actions/checkout@v4 + - name: Use Node.js v${{ matrix.node-version }} + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + cache: npm + - run: npm ci + - run: npm run build + # - run: npm test diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml index 33f41c9..43423d3 100644 --- a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml +++ b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/release.yml @@ -11,7 +11,7 @@ jobs: contents: write steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 # Fetch all history for versioning diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml index 0ec9fcb..20e482d 100644 --- a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml +++ b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/security.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - run: echo "Triggered by a ${{ github.event_name }} event." - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # E.g., to check for my `~/Local/.secret` file - name: Custom check for secret files run: ./check_for_pattern.sh . "*secret*" @@ -22,8 +22,66 @@ jobs: run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json # Upload Artifacts - name: Upload the scan output - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: scan_results path: /tmp/scan_output.json retention-days: 7 + sast-dependencies: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + # Node.js dependencies scan + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "22" + cache: "npm" + - name: Install Node dependencies + run: npm ci + - name: Run Snyk for Node.js + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: > + --severity-threshold=high + --show-vulnerable-paths=all + # Python dependencies scan + - name: Setup Python + uses: actions/setup-python@v4 + with: + python-version: "3.9" + - name: Install Python dependencies + run: pip install -r requirements.txt + - name: Run Snyk for Python + uses: snyk/actions/python@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: > + --file=requirements.txt + --severity-threshold=high + --show-vulnerable-paths=all + sast-code: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: "22" + cache: "npm" + - name: Install dependencies + run: npm ci + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: code test + args: > + --severity-threshold=high + --json-file-output=snyk-code-test.json diff --git a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml index c31731c..287ba50 100644 --- a/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml +++ b/template/.github/{% if ci_cd == 'github_actions' %}workflows{% endif %}/validate.yml @@ -1,8 +1,8 @@ -name: Validate +name: Validate Code run-name: ${{ github.actor }} is running Validate Actions on: [pull_request] jobs: - validate: + preCommit: runs-on: ubuntu-latest steps: - run: echo "Triggered by a ${{ github.event_name }} event." @@ -12,3 +12,14 @@ jobs: python-version: 3.9 - uses: pre-commit/action@v3.0.1 - uses: pre-commit-ci/lite-action@v1.1.0 + check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Use Node.js 22 + uses: actions/setup-node@v4 + with: + node-version: 22 + cache: npm + - run: npm ci + - run: npm run check diff --git a/template/.gitignore b/template/.gitignore index 59ad128..8815ae0 100644 --- a/template/.gitignore +++ b/template/.gitignore @@ -55,6 +55,7 @@ Thumbs.db .meta todo.md *.code-workspace +.dccache # .env #------------------------------------------------------------------------------ diff --git a/template/README.md.jinja b/template/README.md.jinja index e1041f4..a8be658 100644 --- a/template/README.md.jinja +++ b/template/README.md.jinja @@ -5,7 +5,12 @@ Author: {{ author_full_name }} [![Validate](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/validate.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/validate.yml) +[![Build](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/build.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/build.yml) [![Security](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/security.yml/badge.svg)](https://github.com/{{ author_git_provider_username }}/{{ project_slug }}/actions/workflows/security.yml) +[![Copier](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/copier-org/copier/master/img/badge/badge-grayscale-inverted-border-orange.json)](https://github.com/copier-org/copier) +[![Maintained](https://img.shields.io/badge/maintained%3F-yes-brightgreen.svg?style=flat-square)](https://github.com/onwidget) +[![Contributions Welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat-square)](https://github.com/onwidget/astrowind#contributing) +[![Known Vulnerabilities](https://snyk.io/test/github/onwidget/astrowind/badge.svg?style=flat-square)](https://snyk.io/test/github/onwidget/astrowind) ## Setup & Installation diff --git a/template/Taskfile.yml.jinja b/template/Taskfile.yml.jinja index 74611dc..c7c425b 100644 --- a/template/Taskfile.yml.jinja +++ b/template/Taskfile.yml.jinja @@ -1,5 +1,5 @@ # Taskfile for {{ project_name }} -version: "3" +version: '3' tasks: boostrap: cmds: @@ -13,25 +13,50 @@ tasks: silent: true validate: cmds: - - pre-commit run --all-files - # - shellcheck osConfig/mac/updateMac.sh - # - shellcheck osConfig/mac/setupMac.sh - # - shellcheck osConfig/mac/configureMacSettings.sh + - task: preCommit + - task: check silent: true - pre-commit: + preCommit: cmds: - pre-commit run --all-files silent: true + check: + cmds: + - npm run check:astro + - npm run check:eslint + - cmd: npm run check:prettier + # - shellcheck osConfig/mac/updateMac.sh + # - shellcheck osConfig/mac/setupMac.sh + # - shellcheck osConfig/mac/configureMacSettings.sh + ignore_error: true + silent: true + fix: + cmds: + - npm run fix + silent: true security: + cmds: + - task: secrets + - task: sast + ignore_error: true + silent: true + secrets: cmds: - ./check_for_pattern.sh . "*secret*" - whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . - - task: snyk silent: true - snyk: + sast: + cmds: + - task: sast-dependencies + - task: sast-code + silent: true + sast-dependencies: + cmds: + - snyk test --all-projects + silent: true + sast-code: cmds: - - snyk test --file=requirements.txt - - snyk test --file=package.json + - snyk code test silent: true ghReleaseInit: cmds: diff --git a/template/test/whisperConfig.yml b/template/test/whisperConfig.yml index 15fdb75..a31e97e 100644 --- a/template/test/whisperConfig.yml +++ b/template/test/whisperConfig.yml @@ -1,6 +1,6 @@ include: files: - - "**/*" + - '**/*' exclude: files: