mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
dependabot[bot]
334a2e59d8
Bumps the github-actions group with 14 updates in the / directory: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.17.0` | `2.19.4` | | [chromaui/action](https://github.com/chromaui/action) | `16.3.0` | `17.0.1` | | [docker/login-action](https://github.com/docker/login-action) | `4.1.0` | `4.2.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `3.1.1` | `3.2.0` | | [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata) | `3.0.0` | `3.1.0` | | [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `6.1.0` | `6.1.2` | | [fluxcd/flux2](https://github.com/fluxcd/flux2) | `2.8.5` | `2.8.8` | | [depot/build-push-action](https://github.com/depot/build-push-action) | `1.17.0` | `1.18.0` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.0.0` | `4.1.0` | | [linear/linear-release-action](https://github.com/linear/linear-release-action) | `0.7.0` | `0.14.0` | | [toshimaru/auto-author-assign](https://github.com/toshimaru/auto-author-assign) | `3.0.1` | `3.0.2` | | [benc-uk/workflow-dispatch](https://github.com/benc-uk/workflow-dispatch) | `1.3.1` | `1.3.2` | | [github/codeql-action](https://github.com/github/codeql-action) | `4.35.1` | `4.36.0` | | [actions/stale](https://github.com/actions/stale) | `10.2.0` | `10.3.0` | Updates `step-security/harden-runner` from 2.17.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/f808768d1510423e83855289c910610ca9b43176...9af89fc71515a100421586dfdb3dc9c984fbf411) Updates `chromaui/action` from 16.3.0 to 17.0.1 - [Release notes](https://github.com/chromaui/action/releases) - [Changelog](https://github.com/chromaui/action/blob/main/CHANGELOG.md) - [Commits](https://github.com/chromaui/action/compare/5c6ec06f45a2117a25f07b1bf2b2f3009233fac8...0b8c883861c1663076150cf1f4592b19d1ff6a54) Updates `docker/login-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/4907a6ddec9925e35a0a9e82d7399ccc52663121...650006c6eb7dba73a995cc03b0b2d7f5ca915bee) Updates `actions/create-github-app-token` from 3.1.1 to 3.2.0 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Changelog](https://github.com/actions/create-github-app-token/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/create-github-app-token/compare/1b10c78c7865c340bc4f6099eb2f838309f1e8c3...bcd2ba49218906704ab6c1aa796996da409d3eb1) Updates `dependabot/fetch-metadata` from 3.0.0 to 3.1.0 - [Release notes](https://github.com/dependabot/fetch-metadata/releases) - [Commits](https://github.com/dependabot/fetch-metadata/compare/ffa630c65fa7e0ecfa0625b5ceda64399aea1b36...25dd0e34f4fe68f24cc83900b1fe3fe149efef98) Updates `aws-actions/configure-aws-credentials` from 6.1.0 to 6.1.2 - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/ec61189d14ec14c8efccab744f656cffd0e33f37...acca2b1b2070338fb9fd1ca27ecee81d687e58e5) Updates `fluxcd/flux2` from 2.8.5 to 2.8.8 - [Release notes](https://github.com/fluxcd/flux2/releases) - [Commits](https://github.com/fluxcd/flux2/compare/5adad89dcce7b79f20274ae8e112bcec7bd46764...1fd61a06264d71cf445ed55c4f14d401d26a1c64) Updates `depot/build-push-action` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/depot/build-push-action/releases) - [Commits](https://github.com/depot/build-push-action/compare/5f3b3c2e5a00f0093de47f657aeaefcedff27d18...98e78adca7817480b8185f474a400b451d74e287) Updates `docker/setup-buildx-action` from 4.0.0 to 4.1.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd...d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5) Updates `linear/linear-release-action` from 0.7.0 to 0.14.0 - [Release notes](https://github.com/linear/linear-release-action/releases) - [Commits](https://github.com/linear/linear-release-action/compare/0353b5fa8c00326913966f00557d68f8f30b8b6b...ad7da502eec3a93dd17e2e249e6c1cd84e3ee588) Updates `toshimaru/auto-author-assign` from 3.0.1 to 3.0.2 - [Release notes](https://github.com/toshimaru/auto-author-assign/releases) - [Changelog](https://github.com/toshimaru/auto-author-assign/blob/main/CHANGELOG.md) - [Commits](https://github.com/toshimaru/auto-author-assign/compare/4d585cc37690897bd9015942ed6e766aa7cdb97f...bdd7688cbf9e6d5683f02f8c7d8ae4062a254b6d) Updates `benc-uk/workflow-dispatch` from 1.3.1 to 1.3.2 - [Release notes](https://github.com/benc-uk/workflow-dispatch/releases) - [Commits](https://github.com/benc-uk/workflow-dispatch/compare/7a027648b88c2413826b6ddd6c76114894dc5ec4...31e2b3319479a63f0ab15bf800eff9e913504e26) Updates `github/codeql-action` from 4.35.1 to 4.36.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/c10b8064de6f491fea524254123dbe5e09572f13...7211b7c8077ea37d8641b6271f6a365a22a5fbfa) Updates `actions/stale` from 10.2.0 to 10.3.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/b5d41d4e1d5dceea10e7104786b73624c18a190f...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899) --- updated-dependencies: - dependency-name: actions/create-github-app-token dependency-version: 3.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: aws-actions/configure-aws-credentials dependency-version: 6.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: benc-uk/workflow-dispatch dependency-version: 1.3.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: chromaui/action dependency-version: 17.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: dependabot/fetch-metadata dependency-version: 3.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: depot/build-push-action dependency-version: 1.18.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/login-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/setup-buildx-action dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: fluxcd/flux2 dependency-version: 2.8.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: linear/linear-release-action dependency-version: 0.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: toshimaru/auto-author-assign dependency-version: 3.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
143 lines
4.5 KiB
YAML
143 lines
4.5 KiB
YAML
name: "security"
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
# Uncomment when testing.
|
|
# pull_request:
|
|
|
|
schedule:
|
|
# Run every 6 hours Monday-Friday!
|
|
- cron: "0 0/6 * * 1-5"
|
|
|
|
# Cancel in-progress runs for pull requests when developers push
|
|
# additional changes
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-security
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
jobs:
|
|
codeql:
|
|
permissions:
|
|
security-events: write
|
|
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up mise tools
|
|
uses: ./.github/actions/setup-mise
|
|
with:
|
|
install-args: "go"
|
|
|
|
- name: Restore Go cache
|
|
uses: ./.github/actions/go-cache
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5
|
|
with:
|
|
languages: go, javascript
|
|
|
|
# Workaround to prevent CodeQL from building the dashboard.
|
|
- name: Remove Makefile
|
|
run: |
|
|
rm Makefile
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5
|
|
|
|
- name: Send Slack notification on failure
|
|
if: ${{ failure() }}
|
|
run: |
|
|
msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
curl \
|
|
-qfsSL \
|
|
-X POST \
|
|
-H "Content-Type: application/json" \
|
|
--data "{\"content\": \"$msg\"}" \
|
|
"${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
|
|
|
|
osv-scanner:
|
|
permissions:
|
|
security-events: write
|
|
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
|
|
env:
|
|
IMAGE_REF: ghcr.io/coder/coder-preview:main
|
|
OSV_SCANNER_VERSION: v2.3.5
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Install OSV-Scanner
|
|
run: |
|
|
curl -fsSL -o /usr/local/bin/osv-scanner \
|
|
"https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/osv-scanner_linux_amd64"
|
|
chmod +x /usr/local/bin/osv-scanner
|
|
|
|
- name: Pull latest Coder preview image
|
|
run: docker pull "$IMAGE_REF"
|
|
|
|
- name: Run OSV-Scanner vulnerability scanner
|
|
id: scan
|
|
run: |
|
|
set +e
|
|
osv-scanner scan image "$IMAGE_REF" \
|
|
--format sarif \
|
|
--output-file osv-results.sarif
|
|
scan_exit_code=$?
|
|
set -e
|
|
|
|
echo "exit_code=${scan_exit_code}" >> "${GITHUB_OUTPUT}"
|
|
|
|
if [[ "${scan_exit_code}" -eq 0 ]]; then
|
|
exit 0
|
|
fi
|
|
|
|
if [[ "${scan_exit_code}" -eq 1 ]]; then
|
|
echo "OSV-Scanner found vulnerabilities in ${IMAGE_REF}."
|
|
echo "Results will be uploaded to GitHub Security and as a SARIF artifact."
|
|
exit 0
|
|
fi
|
|
|
|
echo "::error::OSV-Scanner failed with exit code ${scan_exit_code}"
|
|
exit "${scan_exit_code}"
|
|
|
|
- name: Upload OSV-Scanner scan results to GitHub Security tab
|
|
if: ${{ always() && hashFiles('osv-results.sarif') != '' }}
|
|
uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5
|
|
with:
|
|
sarif_file: osv-results.sarif
|
|
category: "OSV-Scanner"
|
|
|
|
- name: Upload OSV-Scanner scan results as an artifact
|
|
if: ${{ always() && hashFiles('osv-results.sarif') != '' }}
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: osv-scanner
|
|
path: osv-results.sarif
|
|
retention-days: 7
|
|
|
|
- name: Send Slack notification on failure
|
|
if: ${{ failure() }}
|
|
run: |
|
|
msg="❌ OSV-Scanner Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
curl \
|
|
-qfsSL \
|
|
-X POST \
|
|
-H "Content-Type: application/json" \
|
|
--data "{\"content\": \"$msg\"}" \
|
|
"${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
|