From 9320c1133e81cd1cdc05711c2f9bbd71bcc6ce3d Mon Sep 17 00:00:00 2001 From: Ashish Dhingra <67916761+ashishdhingra@users.noreply.github.com> Date: Wed, 11 Jun 2025 10:45:57 -0700 Subject: [PATCH 1/5] Sync master from dev (#378) * update actions to use commit hash (#368) * Update GitHub Actions * Update GitHub Actions * ci: add sync master/dev workflow * Add dependabot configuration (#373) * Add Semgrep security scanning workflow (#376) * Add Semgrep security scanning workflow * Update semgrep-analysis.yml * chore: Pinned to v1.6.0 of aws-github-ops/handle-stale-discussions so that closed GitHub discussions are not auto-reopened. (#377) --------- Co-authored-by: Garrett Beatty Co-authored-by: Phil Asmar --- .github/dependabot.yml | 13 ++ .github/workflows/aws-ci.yml | 4 +- .github/workflows/closed-issue-message.yml | 2 +- .github/workflows/create-release-pr.yml | 10 +- .../workflows/handle-stale-discussions.yml | 2 +- .github/workflows/semgrep-analysis.yml | 41 +++++ .github/workflows/stale_issues.yml | 2 +- .github/workflows/sync-master-dev.yml | 147 ++++++++++++++++++ 8 files changed, 211 insertions(+), 10 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/semgrep-analysis.yml create mode 100644 .github/workflows/sync-master-dev.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b76d5c8 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# Set update schedule for GitHub Actions + +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week + interval: "weekly" + labels: + - "Release Not Needed" + target-branch: "dev" \ No newline at end of file diff --git a/.github/workflows/aws-ci.yml b/.github/workflows/aws-ci.yml index f35e624..c51d7e1 100644 --- a/.github/workflows/aws-ci.yml +++ b/.github/workflows/aws-ci.yml @@ -36,11 +36,11 @@ jobs: aws-region: us-west-2 - name: Run Tests on AWS id: codebuild - uses: aws-actions/aws-codebuild-run-build@v1 + uses: aws-actions/aws-codebuild-run-build@4d15a47425739ac2296ba5e7eee3bdd4bfbdd767 #v1.0.18 with: project-name: ${{ secrets.CI_TESTING_CODE_BUILD_PROJECT_NAME }} - name: CodeBuild Link shell: pwsh run: | $buildId = "${{ steps.codebuild.outputs.aws-build-id }}" - echo $buildId \ No newline at end of file + echo $buildId diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 3691dea..0ae039c 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -6,7 +6,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v1 + - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 #v2 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index d2f72f7..2e1be4e 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -25,31 +25,31 @@ jobs: steps: # Assume an AWS Role that provides access to the Access Token - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@v2 + uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 with: fetch-depth: '0' token: ${{ env.AWS_SECRET_TOKEN }} # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1 with: dotnet-version: 8.0.x # Install AutoVer to automate versioning and changelog creation - name: Install AutoVer - run: dotnet tool install --global AutoVer --version 0.0.24 + run: dotnet tool install --global AutoVer --version 0.0.25 # Set up a git user to be able to run git commands later on - name: Setup Git User run: | diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml index 8b5bcb1..25a7055 100644 --- a/.github/workflows/handle-stale-discussions.yml +++ b/.github/workflows/handle-stale-discussions.yml @@ -13,6 +13,6 @@ jobs: discussions: write steps: - name: Stale discussions action - uses: aws-github-ops/handle-stale-discussions@v1 + uses: aws-github-ops/handle-stale-discussions@c0beee451a5d33d9c8f048a6d4e7c856b5422544 #v1.6.0 env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml new file mode 100644 index 0000000..aeecb95 --- /dev/null +++ b/.github/workflows/semgrep-analysis.yml @@ -0,0 +1,41 @@ +name: Semgrep + +on: + # Scan changed files in PRs, block on new issues only (existing issues ignored) + pull_request: + + push: + branches: ["dev", "master"] + + schedule: + - cron: '23 20 * * 1' + + # Manually trigger the workflow + workflow_dispatch: + +jobs: + semgrep: + name: Scan + permissions: + security-events: write + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + # Skip any PR created by dependabot to avoid permission issues + if: (github.actor != 'dependabot[bot]') + steps: + # Fetch project source + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + + - run: semgrep ci --sarif > semgrep.sarif + env: + SEMGREP_RULES: >- # more at semgrep.dev/explore + p/security-audit + p/secrets + p/owasp-top-ten + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 + with: + sarif_file: semgrep.sarif + if: always() diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml index b833062..dfda146 100644 --- a/.github/workflows/stale_issues.yml +++ b/.github/workflows/stale_issues.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest name: Stale issue job steps: - - uses: aws-actions/stale-issue-cleanup@v6 + - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0 with: # Setting messages to an empty string will cause the automation to skip # that category diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml new file mode 100644 index 0000000..eb0a3ae --- /dev/null +++ b/.github/workflows/sync-master-dev.yml @@ -0,0 +1,147 @@ +# This GitHub Workflow is designed to run automatically after the Release PR, which was created by the `Create Release PR` workflow, is closed. +# This workflow has 2 jobs. One will run if the `Release PR` is successfully merged, indicating that a release should go out. +# The other will run if the `Release PR` was closed and a release is not intended to go out. +name: Sync 'dev' and 'master' + +# The workflow will automatically be triggered when any PR is closed. +on: + pull_request: + types: [closed] + +permissions: + contents: write + id-token: write + +jobs: + # This job will check if the PR was successfully merged, it's source branch is `releases/next-release` and target branch is `dev`. + # This indicates that the merged PR was the `Release PR`. + # This job will synchronize `dev` and `master`, create a GitHub Release and delete the `releases/next-release` branch. + sync-dev-and-master: + name: Sync dev and master + if: | + github.event.pull_request.merged == true && + github.event.pull_request.head.ref == 'releases/next-release' && + github.event.pull_request.base.ref == 'dev' + runs-on: ubuntu-latest + steps: + # Assume an AWS Role that provides access to the Access Token + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0 + with: + role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} + aws-region: us-west-2 + # Retrieve the Access Token from Secrets Manager + - name: Retrieve secret from AWS Secrets Manager + uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + with: + secret-ids: | + AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} + parse-json-secrets: true + # Checkout a full clone of the repo + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + ref: dev + fetch-depth: 0 + token: ${{ env.AWS_SECRET_TOKEN }} + # Install .NET9 which is needed for AutoVer + - name: Setup .NET 9.0 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1 + with: + dotnet-version: 9.0.x + # Install AutoVer which is needed to retrieve information about the current release. + - name: Install AutoVer + run: dotnet tool install --global AutoVer --version 0.0.25 + # Set up a git user to be able to run git commands later on + - name: Setup Git User + run: | + git config --global user.email "github-aws-sdk-dotnet-automation@amazon.com" + git config --global user.name "aws-sdk-dotnet-automation" + # Retrieve the release name which is needed for the GitHub Release + - name: Read Release Name + id: read-release-name + run: | + version=$(autover changelog --release-name) + echo "VERSION=$version" >> $GITHUB_OUTPUT + # Retrieve the tag name which is needed for the GitHub Release + - name: Read Tag Name + id: read-tag-name + run: | + tag=$(autover changelog --tag-name) + echo "TAG=$tag" >> $GITHUB_OUTPUT + # Retrieve the changelog which is needed for the GitHub Release + - name: Read Changelog + id: read-changelog + run: | + changelog=$(autover changelog --output-to-console) + echo "CHANGELOG<> "$GITHUB_OUTPUT" + # Merge dev into master in order to synchronize the 2 branches + - name: Merge dev to master + run: | + git fetch origin + git checkout master + git merge dev + git push origin master + # Create the GitHub Release + - name: Create GitHub Release + env: + GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }} + run: | + gh release create "${{ steps.read-tag-name.outputs.TAG }}" --title "${{ steps.read-release-name.outputs.VERSION }}" --notes "${{ steps.read-changelog.outputs.CHANGELOG }}" + # Delete the `releases/next-release` branch + - name: Clean up + run: | + git fetch origin + if git ls-remote --exit-code --heads origin releases/next-release > /dev/null; then + echo "Branch 'releases/next-release' exists on origin. Deleting..." + git push origin --delete releases/next-release + else + echo "Branch 'releases/next-release' does not exist on origin, skipping deletion." + fi + # This job will check if the PR was closed, it's source branch is `releases/next-release` and target branch is `dev`. + # This indicates that the closed PR was the `Release PR`. + # This job will delete the tag created by AutoVer and the release branch. + clean-up-closed-release: + name: Clean up closed release + if: | + github.event.pull_request.merged == false && + github.event.pull_request.head.ref == 'releases/next-release' && + github.event.pull_request.base.ref == 'dev' + runs-on: ubuntu-latest + steps: + # Checkout a full clone of the repo + - name: Checkout code + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + with: + ref: releases/next-release + fetch-depth: 0 + # Install .NET9 which is needed for AutoVer + - name: Setup .NET 9.0 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1 + with: + dotnet-version: 9.0.x + # Install AutoVer which is needed to retrieve information about the current release. + - name: Install AutoVer + run: dotnet tool install --global AutoVer --version 0.0.25 + # Set up a git user to be able to run git commands later on + - name: Setup Git User + run: | + git config --global user.email "github-aws-sdk-dotnet-automation@amazon.com" + git config --global user.name "aws-sdk-dotnet-automation" + # Retrieve the tag name to be deleted + - name: Read Tag Name + id: read-tag-name + run: | + tag=$(autover changelog --tag-name) + echo "TAG=$tag" >> $GITHUB_OUTPUT + # Delete the tag created by AutoVer and the release branch + - name: Clean up + run: | + git fetch origin + git push --delete origin ${{ steps.read-tag-name.outputs.TAG }} + if git ls-remote --exit-code --heads origin releases/next-release > /dev/null; then + echo "Branch 'releases/next-release' exists on origin. Deleting..." + git push origin --delete releases/next-release + else + echo "Branch 'releases/next-release' does not exist on origin, skipping deletion." + fi \ No newline at end of file From ff521799a989d62e4e684273a49037088b58442c Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Sat, 21 Jun 2025 16:03:35 -0400 Subject: [PATCH 2/5] Dev (#389) * Bump tj-actions/changed-files from 45.0.4 to 46.0.5 Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 45.0.4 to 46.0.5. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/4edd678ac3f81e2dc578756871e4d00c19191daf...ed68ef82c095e0d48ec87eccea555d944a631a4c) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 46.0.5 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Bump actions/checkout from 3 to 4 Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update dependabot.yml --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Sanket T <59204773+sankettangade@users.noreply.github.com> --- .github/dependabot.yml | 6 +++--- .github/workflows/change-file-in-pr.yml | 4 ++-- .github/workflows/create-release-pr.yml | 2 +- .github/workflows/semgrep-analysis.yml | 2 +- .github/workflows/sync-master-dev.yml | 4 ++-- 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b76d5c8..8190c86 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,8 +6,8 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - # Check for updates to GitHub Actions every week - interval: "weekly" + # Check for updates to GitHub Actions every quarter + interval: "quarterly" labels: - "Release Not Needed" - target-branch: "dev" \ No newline at end of file + target-branch: "dev" diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index fac4d08..6b9ab6b 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -12,11 +12,11 @@ jobs: steps: - name: Checkout PR code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get List of Changed Files id: changed-files - uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf #v45 + uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c #v45 - name: Check for Change File(s) in .autover/changes/ run: | diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 2e1be4e..3e413bf 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -38,7 +38,7 @@ jobs: parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f #v4.2.2 with: fetch-depth: '0' token: ${{ env.AWS_SECRET_TOKEN }} diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index aeecb95..71eaa8a 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -25,7 +25,7 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: # Fetch project source - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f #v4.2.2 - run: semgrep ci --sarif > semgrep.sarif env: diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml index eb0a3ae..a214e15 100644 --- a/.github/workflows/sync-master-dev.yml +++ b/.github/workflows/sync-master-dev.yml @@ -39,7 +39,7 @@ jobs: parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f #v4.2.2 with: ref: dev fetch-depth: 0 @@ -111,7 +111,7 @@ jobs: steps: # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@09d2acae674a48949e3602304ab46fd20ae0c42f #v4.2.2 with: ref: releases/next-release fetch-depth: 0 From 8468e7926eebef97fc3ad211f28a95b96eb6d7b0 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:37:51 -0400 Subject: [PATCH 3/5] ci: scope down permissions for stale_issues.yml --- .github/workflows/stale_issues.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml index dfda146..baa61ba 100644 --- a/.github/workflows/stale_issues.yml +++ b/.github/workflows/stale_issues.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: runs-on: ubuntu-latest From 6b34dc8eca5fd6b7b52a34fcbe150a76081653fe Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:37:53 -0400 Subject: [PATCH 4/5] ci: scope down permissions for closed-issue-message.yml --- .github/workflows/closed-issue-message.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 0ae039c..df7a46b 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest From a362d71cda73fbef7962259e7f696750ab3b4ec7 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:37:55 -0400 Subject: [PATCH 5/5] ci: scope down permissions for change-file-in-pr.yml --- .github/workflows/change-file-in-pr.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 6b9ab6b..6aac558 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, synchronize, reopened, labeled] +permissions: + contents: read + jobs: check-files-in-directory: if: ${{ !contains(github.event.pull_request.labels.*.name, 'Release Not Needed') && !contains(github.event.pull_request.labels.*.name, 'Release PR') }}