diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml new file mode 100644 index 0000000000..5ecb57c9aa --- /dev/null +++ b/.github/workflows/coverity.yml @@ -0,0 +1,51 @@ + +name: coverity-action +on: + push: + branches: [main, master, develop, stage, release] + pull_request: + branches: [main, master, develop, stage, release] + workflow_dispatch: +jobs: + coverity: + runs-on: self-hosted + steps: + - name: Checkout Source + uses: actions/checkout@v4 + # For compiled languages, uncomment and configure the build setup step below: + # - name: Setup Java JDK + # uses: actions/setup-java@v4 + # with: + # java-version: 21 + # distribution: temurin + # cache: maven + - name: Coverity Scan + uses: blackduck-inc/black-duck-security-scan@SIGINT-5334 + with: + ### SCANNING: Required fields + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + + ### POLICY ENFORCEMENT: Break build on full scan when encounter outstanding issues + coverity_policy_view: ${{ github.event_name != 'pull_request' && 'Outstanding Issues' || '' }} + + ### PULL REQUEST COMMENTS: + coverity_prComment_enabled: true + + # Required when PR comments is enabled + github_token: ${{ secrets.GITHUB_TOKEN }} + + ### Perform local analysis with full toolkit + # coverity_local: true + ## Use the parameter below to add comments for issues filtered + ## by impact. Default is High if unset + ## NOTE: Issues matching coverity_policy_view are ignored if set + # coverity_prComment_impacts: 'High' + + ### COVERITY: Build commands for compiled languages (uncomment and configure for compiled languages) + # coverity_build_command: mvn -B -DskipTests package + # coverity_clean_command: mvn -B clean + + ## OPTIONAL DIAGNOSTICS: Upload logs as build artifact if true + include_diagnostics: false diff --git a/.github/workflows/e2e-test.yml b/.github/workflows/e2e-test.yml deleted file mode 100644 index 4ed7d6aec1..0000000000 --- a/.github/workflows/e2e-test.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: E2E Test -on: [push, pull_request] - -jobs: - e2e-test: - name: Node.js - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - node-version: ["10.x", "12.x", "14.x"] - - steps: - - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} - uses: actions/checkout@v2 - with: - persist-credentials: false - - - name: Set up Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node-version }} - - - name: Use cache - uses: actions/cache@v2 - with: - path: | - ~/.npm - ~/.cache - key: ${{ runner.os }}-node${{ matrix.node-version }}-E2E-${{ hashFiles('package-lock.json') }} - - - name: Install dependencies - run: | - npm ci - npm run cy:verify - - - name: Start MongoDB - run: | - docker run -d -p 27017:27017 mongo:4.0 - timeout 60s bash -c 'until nc -z -w 2 localhost 27017 && echo MongoDB ready; do sleep 2; done' - - - name: Run E2E test suite - id: test-suite - run: | - NODE_ENV=test npm start -- --silent & - npm run test:ci -- --config video=true - - - name: Prepare cypress artifacts - if: failure() && (steps.test-suite.outcome == 'failure') - working-directory: ./test/e2e - run: > - mkdir -p "screenshots" && find "screenshots" -mindepth 1 -maxdepth 1 -type d - -exec sh -c 'mv -- "videos/$(basename "$1").mp4" "$1"' _ {} \; - - - name: Upload cypress artifacts - if: failure() && (steps.test-suite.outcome == 'failure') - uses: actions/upload-artifact@v2 - with: - name: cypress-artifacts-node${{ matrix.node-version }} - path: test/e2e/screenshots diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index e7922ae780..0000000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,26 +0,0 @@ -name: Lint -on: [push, pull_request] - -jobs: - lint: - name: Node.js - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - node-version: ["14.x"] - - steps: - - name: Checkout https://github.com/${{ github.repository }}@${{ github.ref }} - uses: actions/checkout@v2 - with: - persist-credentials: false - - - name: Set up Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node-version }} - - - name: Run linter - run: npx --no-install jshint@2.12.0 . diff --git a/.github/workflows/polaris.yml b/.github/workflows/polaris.yml new file mode 100644 index 0000000000..a1ff5f062d --- /dev/null +++ b/.github/workflows/polaris.yml @@ -0,0 +1,57 @@ +name: CI-Polaris-Basic +on: + push: + branches: [main, master, develop, stage, release] + pull_request: + branches: [main, master, develop, stage, release] + workflow_dispatch: + +jobs: + build: + runs-on: [ubuntu-latest] + steps: + - name: Checkout Source + uses: actions/checkout@v4 + # For compiled languages, uncomment and configure the build setup step below: + # - name: Setup Java JDK + # uses: actions/setup-java@v4 + # with: + # java-version: 21 + # distribution: temurin + # cache: maven + - name: Check Node Version + run: node --version + - name: Polaris Scan + uses: LanceMcCarthy/black-duck-security-scan@lance/update-runner-node-version + with: + ### SCANNING: Required fields + polaris_server_url: ${{ vars.POLARIS_SERVER_URL }} + polaris_access_token: ${{ secrets.POLARIS_ACCESS_TOKEN }} + polaris_assessment_types: "SCA" + + ### SCANNING OPTIONAL + polaris_application_name: quickstart-${{ github.event.repository.name }} + + ### SCANNING OPTIONAL: Pull Request comments + polaris_prComment_enabled: true + + ### SCANNING OPTIONAL: GitHub Issues + polaris_externalIssues_create: true + + ### SCANNING OPTIONAL: Fix Pull Requests + polaris_fixpr_enabled: true + + ### GITHUB Token + # Required when Pull Request comments, Fix Pull Requests or GitHub issues are enabled + github_token: ${{ secrets.GITHUB_TOKEN }} + + ### ENABLE OPTIONAL SCAN REPORTS + polaris_reports_sarif_create: true + polaris_upload_sarif_report: true + + ### COVERITY BUILD COMMANDS (uncomment and configure for compiled languages) + # coverity_build_command: mvn -B -DskipTests package + # coverity_clean_command: mvn -B clean + + ### OPTIONAL DIAGNOSTICS: Upload logs as build artifact if true + include_diagnostics: false \ No newline at end of file diff --git a/options.yml b/options.yml new file mode 100644 index 0000000000..828d0cdcf6 --- /dev/null +++ b/options.yml @@ -0,0 +1,115 @@ + Option 1: Test the NEW parameter (coverity_password) + + name: coverity-action + on: + push: + branches: [main, master, develop, stage, release] + pull_request: + branches: [main, master, develop, stage, release] + workflow_dispatch: + jobs: + coverity: + runs-on: self-hosted + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Coverity Scan (Testing NEW coverity_password parameter) + uses: blackduck-inc/black-duck-security-scan@brnach-coverage + with: + ### SCANNING: Required fields - Using NEW parameter name + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_password: ${{ secrets.COVERITY_PASSPHRASE }} # NEW parameter name + + ### POLICY ENFORCEMENT: Break build on full scan when encounter outstanding issues + coverity_policy_view: ${{ github.event_name != 'pull_request' && 'Outstanding Issues' || '' }} + + ### PULL REQUEST COMMENTS: + coverity_prComment_enabled: true + + # Required when PR comments is enabled + github_token: ${{ secrets.GITHUB_TOKEN }} + + ## OPTIONAL DIAGNOSTICS: Upload logs as build artifact if true + include_diagnostics: false + + Option 2: Test BACKWARD COMPATIBILITY (deprecated parameter still works) + + name: coverity-action + on: + push: + branches: [main, master, develop, stage, release] + pull_request: + branches: [main, master, develop, stage, release] + workflow_dispatch: + jobs: + coverity: + runs-on: self-hosted + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Coverity Scan (Testing backward compatibility with deprecated coverity_passphrase) + uses: blackduck-inc/black-duck-security-scan@brnach-coverage + with: + ### SCANNING: Required fields - Using OLD deprecated parameter name + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} # DEPRECATED - but should still work + + ### POLICY ENFORCEMENT: Break build on full scan when encounter outstanding issues + coverity_policy_view: ${{ github.event_name != 'pull_request' && 'Outstanding Issues' || '' }} + + ### PULL REQUEST COMMENTS: + coverity_prComment_enabled: true + + # Required when PR comments is enabled + github_token: ${{ secrets.GITHUB_TOKEN }} + + ## OPTIONAL DIAGNOSTICS: Upload logs as build artifact if true + include_diagnostics: false + + Option 3: Comprehensive Test - Run BOTH scenarios in parallel + + name: coverity-action-comprehensive-test + on: + push: + branches: [main, master, develop, stage, release] + pull_request: + branches: [main, master, develop, stage, release] + workflow_dispatch: + jobs: + # Test new parameter + coverity-new-param: + runs-on: self-hosted + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Coverity Scan with NEW coverity_password + uses: blackduck-inc/black-duck-security-scan@brnach-coverage + with: + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_password: ${{ secrets.COVERITY_PASSPHRASE }} + coverity_prComment_enabled: true + github_token: ${{ secrets.GITHUB_TOKEN }} + include_diagnostics: true # Enable to verify logs + + # Test backward compatibility + coverity-deprecated-param: + runs-on: self-hosted + steps: + - name: Checkout Source + uses: actions/checkout@v4 + + - name: Coverity Scan with DEPRECATED coverity_passphrase + uses: blackduck-inc/black-duck-security-scan@brnach-coverage + with: + coverity_url: ${{ vars.COVERITY_URL }} + coverity_user: ${{ secrets.COVERITY_USER }} + coverity_passphrase: ${{ secrets.COVERITY_PASSPHRASE }} + coverity_prComment_enabled: true + github_token: ${{ secrets.GITHUB_TOKEN }} + include_diagnostics: true # Enable to verify logs \ No newline at end of file