Merge 04d1ad4795 into 85e6279cec

.github/workflows/defender-for-devops.yml

@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle.
+# MSDO installs, configures and runs the latest versions of static analysis tools
+# (including, but not limited to, SDL/security and compliance tools).
+#
+# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue,
+# as well as Windows self hosted agents. ubuntu-latest support coming soon.
+#
+# For more information about the action , check out https://github.com/microsoft/security-devops-action
+#
+# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration
+# and provide permission before this can report data back to azure.
+# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+
+name: "Microsoft Defender For Devops"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '37 10 * * 6'
+
+jobs:
+  MSDO:
+    # currently only windows latest is supported
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          5.0.x
+          6.0.x
+    - name: Run Microsoft Security DevOps
+      uses: microsoft/security-devops-action@v1.6.0
+      id: msdo
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}

action.yml

@@ -1,109 +1,22 @@
 name: 'Checkout'
-description: 'Checkout a Git repository at a particular version'
-inputs:
+description: 'Checkout a Git repository'
+inputs: 
   repository:
-    description: 'Repository name with owner. For example, actions/checkout'
-    default: ${{ github.repository }}
+    description: 'Repository name'
   ref:
-    description: >
-      The branch, tag or SHA to checkout. When checking out the repository that
-      triggered a workflow, this defaults to the reference or SHA for that
-      event.  Otherwise, uses the default branch.
+    description: 'Ref to checkout (SHA, branch, tag)'
   token:
-    description: >
-      Personal access token (PAT) used to fetch the repository. The PAT is configured
-      with the local git config, which enables your scripts to run authenticated git
-      commands. The post-job step removes the PAT.
-
-
-      We recommend using a service account with the least permissions necessary.
-      Also when generating a new PAT, select the least scopes necessary.
-
-
-      [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-    default: ${{ github.token }}
-  ssh-key:
-    description: >
-      SSH key used to fetch the repository. The SSH key is configured with the local
-      git config, which enables your scripts to run authenticated git commands.
-      The post-job step removes the SSH key.
-
-
-      We recommend using a service account with the least permissions necessary.
-
-
-      [Learn more about creating and using
-      encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
-  ssh-known-hosts:
-    description: >
-      Known hosts in addition to the user and global host key database. The public
-      SSH keys for a host may be obtained using the utility `ssh-keyscan`. For example,
-      `ssh-keyscan github.com`. The public key for github.com is always implicitly added.
-  ssh-strict:
-    description: >
-      Whether to perform strict host key checking. When true, adds the options `StrictHostKeyChecking=yes`
-      and `CheckHostIP=no` to the SSH command line. Use the input `ssh-known-hosts` to
-      configure additional hosts.
-    default: true
-  ssh-user:
-    description: >
-      The user to use when connecting to the remote SSH host. By default 'git' is used.
-    default: git
-  persist-credentials:
-    description: 'Whether to configure the token or SSH key with the local git config'
-    default: true
-  path:
-    description: 'Relative path under $GITHUB_WORKSPACE to place the repository'
+    description: 'Access token for clone repository'
   clean:
-    description: 'Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching'
+    description: 'If true, execute `execute git clean -ffdx && git reset --hard HEAD` before fetching'
     default: true
-  filter:
-    description: >
-      Partially clone against a given filter.
-      Overrides sparse-checkout if set.
-    default: null
-  sparse-checkout:
-    description: >
-      Do a sparse checkout on given patterns.
-      Each pattern should be separated with new lines.
-    default: null
-  sparse-checkout-cone-mode:
-    description: >
-      Specifies whether to use cone-mode when doing a sparse checkout.
-    default: true
-  fetch-depth:
-    description: 'Number of commits to fetch. 0 indicates all history for all branches and tags.'
-    default: 1
-  fetch-tags:
-    description: 'Whether to fetch tags, even if fetch-depth > 0.'
-    default: false
-  show-progress:
-    description: 'Whether to show progress status output when fetching.'
-    default: true
-  lfs:
-    description: 'Whether to download Git-LFS files'
-    default: false
   submodules:
-    description: >
-      Whether to checkout submodules: `true` to checkout submodules or `recursive` to
-      recursively checkout submodules.
-
-
-      When the `ssh-key` input is not provided, SSH URLs beginning with `git@github.com:` are
-      converted to HTTPS.
-    default: false
-  set-safe-directory:
-    description: Add repository path as safe.directory for Git global config by running `git config --global --add safe.directory <path>`
-    default: true
-  github-server-url:
-    description: The base URL for the GitHub instance that you are trying to clone from, will use environment defaults to fetch from the same instance that the workflow is running from unless specified. Example URLs are https://github.com or https://my-ghes-server.example.com
-    required: false
-outputs:
-  ref:
-    description: 'The branch, tag or SHA that was checked out'
-  commit:
-    description: 'The commit SHA that was checked out'
+    description: 'Directory containing files to upload'
+  lfs:
+    description: 'Whether to download Git-LFS files; defaults to false'
+  fetch-depth:
+    description: 'The depth of commits to ask Git to fetch; defaults to no limit'  
+  path:
+    description: 'Optional path to check out source code'  
 runs:
-  using: node20
-  main: dist/index.js
-  post: dist/index.js
+  plugin: 'checkout'

package.json

@@ -1,6 +1,6 @@
 {
   "name": "checkout",
-  "version": "4.2.2",
+  "version": "2.0.2",
   "description": "checkout action",
   "main": "lib/main.js",
   "scripts": {
@@ -8,9 +8,7 @@
     "format": "prettier --write '**/*.ts'",
     "format-check": "prettier --check '**/*.ts'",
     "lint": "eslint src/**/*.ts",
-    "test": "jest",
-    "licensed-check": "src/misc/licensed-check.sh",
-    "licensed-generate": "src/misc/licensed-generate.sh"
+    "test": "jest"
   },
   "repository": {
     "type": "git",
@@ -28,28 +26,27 @@
   },
   "homepage": "https://github.com/actions/checkout#readme",
   "dependencies": {
-    "@actions/core": "^1.10.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/github": "^6.0.0",
-    "@actions/io": "^1.1.3",
-    "@actions/tool-cache": "^2.0.1",
-    "uuid": "^9.0.1"
+    "@actions/core": "^1.1.3",
+    "@actions/exec": "^1.0.1",
+    "@actions/github": "^2.2.0",
+    "@actions/io": "^1.0.1",
+    "@actions/tool-cache": "^1.1.2",
+    "uuid": "^3.3.3"
   },
   "devDependencies": {
-    "@types/jest": "^29.5.12",
-    "@types/node": "^20.12.12",
-    "@types/uuid": "^9.0.8",
-    "@typescript-eslint/eslint-plugin": "^7.9.0",
-    "@typescript-eslint/parser": "^7.9.0",
-    "@vercel/ncc": "^0.38.1",
-    "eslint": "^8.57.0",
-    "eslint-plugin-github": "^4.10.2",
-    "eslint-plugin-jest": "^28.8.2",
-    "jest": "^29.7.0",
-    "jest-circus": "^29.7.0",
-    "js-yaml": "^4.1.0",
-    "prettier": "^3.3.3",
-    "ts-jest": "^29.2.5",
-    "typescript": "^5.5.4"
+    "@types/jest": "^24.0.23",
+    "@types/node": "^12.7.12",
+    "@types/uuid": "^3.4.6",
+    "@typescript-eslint/parser": "^2.8.0",
+    "@vercel/ncc": "^0.23.0",
+    "eslint": "^5.16.0",
+    "eslint-plugin-github": "^2.0.0",
+    "eslint-plugin-jest": "^22.21.0",
+    "jest": "^24.9.0",
+    "jest-circus": "^24.9.0",
+    "js-yaml": "^3.13.1",
+    "prettier": "^1.19.1",
+    "ts-jest": "^24.2.0",
+    "typescript": "^3.6.4"
   }
 }