From deb966a13ada28effb4d8d93cba17344b655ccea Mon Sep 17 00:00:00 2001 From: "cid-workflow[bot]" <142626371+cid-workflow[bot]@users.noreply.github.com> Date: Sun, 31 May 2026 14:10:49 +0000 Subject: [PATCH] ci: add initial workflow configuration --- .cid/scripts/install.sh | 86 + .cid/state-github.json | 2390 ++++++++++++++++++++++++ .github/workflows/cid-main.yml | 420 +++++ .github/workflows/cid-nightly.yml | 411 ++++ .github/workflows/cid-ossf.yml | 82 - .github/workflows/cid-pull-request.yml | 402 ++++ .github/workflows/cid-pullrequest.yml | 235 --- .github/workflows/cid-release.yml | 479 +++++ .github/workflows/cid.yml | 327 ---- 9 files changed, 4188 insertions(+), 644 deletions(-) create mode 100644 .cid/scripts/install.sh create mode 100644 .cid/state-github.json create mode 100644 .github/workflows/cid-main.yml create mode 100644 .github/workflows/cid-nightly.yml delete mode 100644 .github/workflows/cid-ossf.yml create mode 100644 .github/workflows/cid-pull-request.yml delete mode 100644 .github/workflows/cid-pullrequest.yml create mode 100644 .github/workflows/cid-release.yml delete mode 100644 .github/workflows/cid.yml diff --git a/.cid/scripts/install.sh b/.cid/scripts/install.sh new file mode 100644 index 0000000..2f928db --- /dev/null +++ b/.cid/scripts/install.sh @@ -0,0 +1,86 @@ +#!/usr/bin/env bash +set -euo pipefail + +# parameters +CID_VERSION="${1:?Error: CID_VERSION must be provided}" +CID_SHA256="${2:?Error: CID_SHA256 must be provided for integrity check}" +GPG_FINGERPRINT="${3:-}" + +# variables +TMP_DIR="$(mktemp -d)" +BIN_DIR="/usr/local/bin" +BASE_URL="${CID_MIRROR_URL:-https://github.com/cidverse/cid/releases/download}" +BINARY_URL="${BASE_URL}/v${CID_VERSION}/linux_amd64" +SIG_URL="${BINARY_URL}.asc" + +# github actions +if [[ "${GITHUB_ACTIONS:-}" == "true" ]]; then + echo "Detected GitHub Actions ..." + + TOOL_DIR="${RUNNER_TOOL_CACHE}/cid-${CID_SHA256}" + BIN_DIR="${TOOL_DIR}/bin" +fi + +# download +echo "Fetching binary and signature [$CID_VERSION]..." +curl -sSL -o "$TMP_DIR/cid" "$BINARY_URL" +curl -sSL -o "$TMP_DIR/cid.asc" "$SIG_URL" + +# sha256 integrity +if [[ -n "${CID_SHA256}" ]]; then + ACTUAL_SHA256=$(sha256sum "$TMP_DIR/cid" | awk '{print $1}') + + if [[ "${ACTUAL_SHA256}" == "${CID_SHA256}" ]]; then + echo "✅ CID Checksum verification passed. checksum=${ACTUAL_SHA256}" + else + echo "❌ CHECKSUM VERIFICATION FAILED!" + echo "Expected: ${CID_SHA256}" + echo "Actual: ${ACTUAL_SHA256}" + exit 1 + fi +fi + +# gpg verification +if [[ -n "${GPG_FINGERPRINT}" ]]; then + if [[ ${#GPG_FINGERPRINT} -lt 40 ]]; then + echo "❌ Error: GPG_FINGERPRINT is too short (${#GPG_FINGERPRINT}/40 chars)." + echo "Please provide the full 40-character hex fingerprint." + exit 1 + fi + + echo "Fetching GPG key ${GPG_FINGERPRINT}..." + if ! gpg --keyserver hkps://keyserver.ubuntu.com --quiet --recv-keys "$GPG_FINGERPRINT" 2>/dev/null; then + echo "❌ Error: Could not retrieve key ${GPG_FINGERPRINT} from keyserver." + exit 1 + fi + + GPG_OUTPUT=$(gpg --verify "$TMP_DIR/cid.asc" "$TMP_DIR/cid" 2>&1) + GPG_STATUS=$? + if [ $GPG_STATUS -eq 0 ]; then + echo "✅ GPG verification successful!" + echo "Key Fingerprint: ${GPG_FINGERPRINT}" + echo "$(echo "$GPG_OUTPUT" | grep "Good signature from")" + else + echo "❌ GPG VERIFICATION FAILED!" + echo "---------------------------------------------------" + echo "$GPG_OUTPUT" + echo "---------------------------------------------------" + echo "Possible issues: The file was tampered with, or the signature" + echo "was not created by the key ${GPG_FINGERPRINT}." + exit 1 + fi +fi + +# install binary +mkdir -p "$BIN_DIR" +install -m 755 "$TMP_DIR/cid" "$BIN_DIR/cid" + +# github actions +if [[ "${GITHUB_ACTIONS:-}" == "true" ]]; then + echo "${BIN_DIR}" >> "$GITHUB_PATH" + echo "CID_VERSION=${CID_VERSION}" >> "$GITHUB_ENV" +fi + +# export to path +export PATH="${BIN_DIR}:${PATH}" +echo "CID version: ${CID_VERSION}" diff --git a/.cid/state-github.json b/.cid/state-github.json new file mode 100644 index 0000000..c268ade --- /dev/null +++ b/.cid/state-github.json @@ -0,0 +1,2390 @@ +{ + "workflows": { + "Nightly": { + "version": "0.11.1", + "name": "Nightly", + "name_slug": "nightly", + "job_timeout": 10, + "default_branch": "main", + "container_runtime": "podman", + "workflow_key": "nightly", + "workflow_config": { + "type": "nightly", + "trigger_manual": true, + "trigger_cron": true, + "trigger_cron_schedule": "14 0 * * 6", + "environment_pattern": "nightly-.*" + }, + "plan": { + "name": "main", + "stages": [ + "build", + "test", + "lint", + "scan" + ], + "steps": [ + { + "id": "0", + "name": "go-build [github.com/primelib/primecodegen]", + "slug": "go-build-github-com-primelib-primecodegen", + "stage": "build", + "scope": "module", + "action": "builtin://actions/go-build", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "binary" + } + ] + }, + "order": 0 + }, + { + "id": "1", + "name": "go-test [github.com/primelib/primecodegen]", + "slug": "go-test-github-com-primelib-primecodegen", + "stage": "test", + "scope": "module", + "action": "builtin://actions/go-test", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + }, + { + "name": "go-junit-report", + "constraint": "\u003e= 0.0.0-0" + }, + { + "name": "gocover-cobertura", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "go-coverage" + }, + { + "type": "report", + "format": "junit" + }, + { + "type": "report", + "format": "cobertura" + } + ] + }, + "order": 1 + }, + { + "id": "2", + "name": "golangci-lint [github.com/primelib/primecodegen]", + "slug": "golangci-lint-github-com-primelib-primecodegen", + "stage": "lint", + "scope": "module", + "action": "builtin://actions/golangci-lint", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "golangci-lint", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 2 + }, + { + "id": "3", + "name": "gitleaks-scan", + "slug": "gitleaks-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/gitleaks-scan", + "access": { + "executables": [ + { + "name": "gitleaks", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 3 + }, + { + "id": "4", + "name": "semgrep-scan", + "slug": "semgrep-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/semgrep-scan", + "access": { + "env": [ + { + "name": "SEMGREP_RULES", + "description": "See option --config." + }, + { + "name": "SEMGREP_APP_TOKEN", + "description": "Semgrep AppSec Platform Token", + "secret": true + } + ], + "executables": [ + { + "name": "semgrep", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "semgrep.dev:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 4 + }, + { + "id": "5", + "name": "trivyfs-scan", + "slug": "trivyfs-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/trivyfs-scan", + "access": { + "executables": [ + { + "name": "trivy", + "constraint": "=\u003e 0.61.0" + } + ], + "network": [ + { + "host": "mirror.gcr.io:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 5 + }, + { + "id": "6", + "name": "zizmor-scan", + "slug": "zizmor-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/zizmor-scan", + "access": { + "env": [ + { + "name": "GH_HOSTNAME", + "description": "GH_HOSTNAME is required for some online audits" + }, + { + "name": "GH_TOKEN", + "description": "GH_TOKEN is required for some online audits. Takes precedence over GITHUB_TOKEN" + }, + { + "name": "GITHUB_TOKEN", + "description": "GITHUB_TOKEN is set automatically by GitHub Actions" + } + ], + "executables": [ + { + "name": "zizmor", + "constraint": "=\u003e 1.4.1" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 6 + } + ] + }, + "workflow_dependency": { + "pkg:github-action-runner-image/ubuntu": { + "id": "ubuntu", + "type": "github-action-runner-image", + "version": "24.04" + }, + "pkg:github-action/actions/checkout": { + "id": "actions/checkout", + "type": "github-action", + "version": "v6.0.2", + "hash": "de0fac2e4500dabe0009e67214ff5f5447ce83dd" + }, + "pkg:github-action/actions/download-artifact": { + "id": "actions/download-artifact", + "type": "github-action", + "version": "v8.0.1", + "hash": "3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" + }, + "pkg:github-action/actions/upload-artifact": { + "id": "actions/upload-artifact", + "type": "github-action", + "version": "v7.0.1", + "hash": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" + }, + "pkg:github-action/step-security/harden-runner": { + "id": "step-security/harden-runner", + "type": "github-action", + "version": "v2.19.3", + "hash": "ab7a9404c0f3da075243ca237b5fac12c98deaa5" + }, + "pkg:github/cidverse/cid": { + "id": "cidverse/cid", + "type": "github", + "version": "0.11.1", + "hash": "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951", + "gpg-fingerprint": "76A4948E69C62589C7B0AB84E414434DF5371FB6" + } + }, + "ignore_files": [ + "README.md", + "LICENSE", + ".gitignore", + ".gitattributes", + ".editorconfig", + "renovate.json", + "CODEOWNERS", + "SECURITY.md" + ] + }, + "Pull Request": { + "version": "0.11.1", + "name": "Pull Request", + "name_slug": "pull-request", + "job_timeout": 10, + "default_branch": "main", + "container_runtime": "podman", + "workflow_key": "pull-request", + "workflow_config": { + "type": "pull-request", + "trigger_pull_request": true, + "environment_pattern": "pr-.*" + }, + "plan": { + "name": "main", + "stages": [ + "build", + "test", + "lint", + "scan" + ], + "steps": [ + { + "id": "0", + "name": "go-build [github.com/primelib/primecodegen]", + "slug": "go-build-github-com-primelib-primecodegen", + "stage": "build", + "scope": "module", + "action": "builtin://actions/go-build", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "binary" + } + ] + }, + "order": 0 + }, + { + "id": "1", + "name": "go-test [github.com/primelib/primecodegen]", + "slug": "go-test-github-com-primelib-primecodegen", + "stage": "test", + "scope": "module", + "action": "builtin://actions/go-test", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + }, + { + "name": "go-junit-report", + "constraint": "\u003e= 0.0.0-0" + }, + { + "name": "gocover-cobertura", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "go-coverage" + }, + { + "type": "report", + "format": "junit" + }, + { + "type": "report", + "format": "cobertura" + } + ] + }, + "order": 1 + }, + { + "id": "2", + "name": "golangci-lint [github.com/primelib/primecodegen]", + "slug": "golangci-lint-github-com-primelib-primecodegen", + "stage": "lint", + "scope": "module", + "action": "builtin://actions/golangci-lint", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "golangci-lint", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 2 + }, + { + "id": "3", + "name": "gitleaks-scan", + "slug": "gitleaks-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/gitleaks-scan", + "access": { + "executables": [ + { + "name": "gitleaks", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 3 + }, + { + "id": "4", + "name": "semgrep-scan", + "slug": "semgrep-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/semgrep-scan", + "access": { + "env": [ + { + "name": "SEMGREP_RULES", + "description": "See option --config." + }, + { + "name": "SEMGREP_APP_TOKEN", + "description": "Semgrep AppSec Platform Token", + "secret": true + } + ], + "executables": [ + { + "name": "semgrep", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "semgrep.dev:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 4 + }, + { + "id": "5", + "name": "trivyfs-scan", + "slug": "trivyfs-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/trivyfs-scan", + "access": { + "executables": [ + { + "name": "trivy", + "constraint": "=\u003e 0.61.0" + } + ], + "network": [ + { + "host": "mirror.gcr.io:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 5 + }, + { + "id": "6", + "name": "zizmor-scan", + "slug": "zizmor-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/zizmor-scan", + "access": { + "env": [ + { + "name": "GH_HOSTNAME", + "description": "GH_HOSTNAME is required for some online audits" + }, + { + "name": "GH_TOKEN", + "description": "GH_TOKEN is required for some online audits. Takes precedence over GITHUB_TOKEN" + }, + { + "name": "GITHUB_TOKEN", + "description": "GITHUB_TOKEN is set automatically by GitHub Actions" + } + ], + "executables": [ + { + "name": "zizmor", + "constraint": "=\u003e 1.4.1" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 6 + } + ] + }, + "workflow_dependency": { + "pkg:github-action-runner-image/ubuntu": { + "id": "ubuntu", + "type": "github-action-runner-image", + "version": "24.04" + }, + "pkg:github-action/actions/checkout": { + "id": "actions/checkout", + "type": "github-action", + "version": "v6.0.2", + "hash": "de0fac2e4500dabe0009e67214ff5f5447ce83dd" + }, + "pkg:github-action/actions/download-artifact": { + "id": "actions/download-artifact", + "type": "github-action", + "version": "v8.0.1", + "hash": "3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" + }, + "pkg:github-action/actions/upload-artifact": { + "id": "actions/upload-artifact", + "type": "github-action", + "version": "v7.0.1", + "hash": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" + }, + "pkg:github-action/step-security/harden-runner": { + "id": "step-security/harden-runner", + "type": "github-action", + "version": "v2.19.3", + "hash": "ab7a9404c0f3da075243ca237b5fac12c98deaa5" + }, + "pkg:github/cidverse/cid": { + "id": "cidverse/cid", + "type": "github", + "version": "0.11.1", + "hash": "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951", + "gpg-fingerprint": "76A4948E69C62589C7B0AB84E414434DF5371FB6" + } + }, + "ignore_files": [ + "README.md", + "LICENSE", + ".gitignore", + ".gitattributes", + ".editorconfig", + "renovate.json", + "CODEOWNERS", + "SECURITY.md" + ] + }, + "Release": { + "version": "0.11.1", + "name": "Release", + "name_slug": "release", + "job_timeout": 10, + "default_branch": "main", + "container_runtime": "podman", + "workflow_key": "release", + "workflow_config": { + "type": "release", + "trigger_manual": true, + "trigger_push": true, + "trigger_push_tags": [ + "v[0-9]+.[0-9]+.[0-9]+" + ], + "environment_pattern": "release-.*" + }, + "plan": { + "name": "main", + "stages": [ + "build", + "test", + "scan", + "publish" + ], + "steps": [ + { + "id": "0", + "name": "go-build [github.com/primelib/primecodegen]", + "slug": "go-build-github-com-primelib-primecodegen", + "stage": "build", + "scope": "module", + "action": "builtin://actions/go-build", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "binary" + } + ] + }, + "order": 0 + }, + { + "id": "1", + "name": "go-test [github.com/primelib/primecodegen]", + "slug": "go-test-github-com-primelib-primecodegen", + "stage": "test", + "scope": "module", + "action": "builtin://actions/go-test", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + }, + { + "name": "go-junit-report", + "constraint": "\u003e= 0.0.0-0" + }, + { + "name": "gocover-cobertura", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "go-coverage" + }, + { + "type": "report", + "format": "junit" + }, + { + "type": "report", + "format": "cobertura" + } + ] + }, + "order": 1 + }, + { + "id": "2", + "name": "gitleaks-scan", + "slug": "gitleaks-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/gitleaks-scan", + "access": { + "executables": [ + { + "name": "gitleaks", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 2 + }, + { + "id": "3", + "name": "semgrep-scan", + "slug": "semgrep-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/semgrep-scan", + "access": { + "env": [ + { + "name": "SEMGREP_RULES", + "description": "See option --config." + }, + { + "name": "SEMGREP_APP_TOKEN", + "description": "Semgrep AppSec Platform Token", + "secret": true + } + ], + "executables": [ + { + "name": "semgrep", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "semgrep.dev:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 3 + }, + { + "id": "4", + "name": "trivyfs-scan", + "slug": "trivyfs-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/trivyfs-scan", + "access": { + "executables": [ + { + "name": "trivy", + "constraint": "=\u003e 0.61.0" + } + ], + "network": [ + { + "host": "mirror.gcr.io:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 4 + }, + { + "id": "5", + "name": "zizmor-scan", + "slug": "zizmor-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/zizmor-scan", + "access": { + "env": [ + { + "name": "GH_HOSTNAME", + "description": "GH_HOSTNAME is required for some online audits" + }, + { + "name": "GH_TOKEN", + "description": "GH_TOKEN is required for some online audits. Takes precedence over GITHUB_TOKEN" + }, + { + "name": "GITHUB_TOKEN", + "description": "GITHUB_TOKEN is set automatically by GitHub Actions" + } + ], + "executables": [ + { + "name": "zizmor", + "constraint": "=\u003e 1.4.1" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 5 + }, + { + "id": "6", + "name": "changelog-generate", + "slug": "changelog-generate", + "stage": "publish", + "scope": "project", + "action": "builtin://actions/changelog-generate", + "run-after": [ + "gitleaks-scan", + "go-build-github-com-primelib-primecodegen", + "go-test-github-com-primelib-primecodegen", + "semgrep-scan", + "trivyfs-scan", + "zizmor-scan" + ], + "run-after-by-name": [ + "gitleaks-scan", + "go-build [github.com/primelib/primecodegen]", + "go-test [github.com/primelib/primecodegen]", + "semgrep-scan", + "trivyfs-scan", + "zizmor-scan" + ], + "access": { + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "changelog" + } + ] + }, + "order": 6 + }, + { + "id": "7", + "name": "github-release-publish", + "slug": "github-release-publish", + "stage": "publish", + "scope": "project", + "action": "builtin://actions/github-release-publish", + "run-after": [ + "changelog-generate", + "gitleaks-scan", + "go-build-github-com-primelib-primecodegen", + "go-test-github-com-primelib-primecodegen", + "semgrep-scan", + "trivyfs-scan", + "zizmor-scan" + ], + "run-after-by-name": [ + "changelog-generate", + "gitleaks-scan", + "go-build [github.com/primelib/primecodegen]", + "go-test [github.com/primelib/primecodegen]", + "semgrep-scan", + "trivyfs-scan", + "zizmor-scan" + ], + "uses-output-of": [ + "changelog-generate", + "go-build-github-com-primelib-primecodegen" + ], + "uses-output-of-by-name": [ + "changelog-generate", + "go-build [github.com/primelib/primecodegen]" + ], + "access": { + "env": [ + { + "name": "GITHUB_TOKEN", + "description": "The GitHub token to use for creating the release.", + "required": true + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "releases" + ] + }, + "inputs": { + "artifacts": [ + { + "type": "changelog" + }, + { + "type": "binary" + } + ] + }, + "outputs": {}, + "order": 7 + } + ] + }, + "workflow_dependency": { + "pkg:github-action-runner-image/ubuntu": { + "id": "ubuntu", + "type": "github-action-runner-image", + "version": "24.04" + }, + "pkg:github-action/actions/checkout": { + "id": "actions/checkout", + "type": "github-action", + "version": "v6.0.2", + "hash": "de0fac2e4500dabe0009e67214ff5f5447ce83dd" + }, + "pkg:github-action/actions/download-artifact": { + "id": "actions/download-artifact", + "type": "github-action", + "version": "v8.0.1", + "hash": "3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" + }, + "pkg:github-action/actions/upload-artifact": { + "id": "actions/upload-artifact", + "type": "github-action", + "version": "v7.0.1", + "hash": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" + }, + "pkg:github-action/step-security/harden-runner": { + "id": "step-security/harden-runner", + "type": "github-action", + "version": "v2.19.3", + "hash": "ab7a9404c0f3da075243ca237b5fac12c98deaa5" + }, + "pkg:github/cidverse/cid": { + "id": "cidverse/cid", + "type": "github", + "version": "0.11.1", + "hash": "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951", + "gpg-fingerprint": "76A4948E69C62589C7B0AB84E414434DF5371FB6" + } + }, + "ignore_files": [ + "README.md", + "LICENSE", + ".gitignore", + ".gitattributes", + ".editorconfig", + "renovate.json", + "CODEOWNERS", + "SECURITY.md" + ] + }, + "Main": { + "version": "0.11.1", + "name": "Main", + "name_slug": "main", + "job_timeout": 10, + "default_branch": "main", + "container_runtime": "podman", + "workflow_key": "main", + "workflow_config": { + "type": "main", + "trigger_manual": true, + "trigger_push": true, + "trigger_push_branches": [ + "main" + ] + }, + "plan": { + "name": "main", + "stages": [ + "build", + "test", + "lint", + "scan" + ], + "steps": [ + { + "id": "0", + "name": "go-build [github.com/primelib/primecodegen]", + "slug": "go-build-github-com-primelib-primecodegen", + "stage": "build", + "scope": "module", + "action": "builtin://actions/go-build", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "binary" + } + ] + }, + "order": 0 + }, + { + "id": "1", + "name": "go-test [github.com/primelib/primecodegen]", + "slug": "go-test-github-com-primelib-primecodegen", + "stage": "test", + "scope": "module", + "action": "builtin://actions/go-test", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "go", + "constraint": "=\u003e 1.16.0" + }, + { + "name": "go-junit-report", + "constraint": "\u003e= 0.0.0-0" + }, + { + "name": "gocover-cobertura", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "go-coverage" + }, + { + "type": "report", + "format": "junit" + }, + { + "type": "report", + "format": "cobertura" + } + ] + }, + "order": 1 + }, + { + "id": "2", + "name": "golangci-lint [github.com/primelib/primecodegen]", + "slug": "golangci-lint-github-com-primelib-primecodegen", + "stage": "lint", + "scope": "module", + "action": "builtin://actions/golangci-lint", + "module": "gomod-go-mod", + "module-dir": ".", + "access": { + "executables": [ + { + "name": "golangci-lint", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "proxy.golang.org:443" + }, + { + "host": "storage.googleapis.com:443" + }, + { + "host": "sum.golang.org:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 2 + }, + { + "id": "3", + "name": "gitleaks-scan", + "slug": "gitleaks-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/gitleaks-scan", + "access": { + "executables": [ + { + "name": "gitleaks", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 3 + }, + { + "id": "4", + "name": "semgrep-scan", + "slug": "semgrep-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/semgrep-scan", + "access": { + "env": [ + { + "name": "SEMGREP_RULES", + "description": "See option --config." + }, + { + "name": "SEMGREP_APP_TOKEN", + "description": "Semgrep AppSec Platform Token", + "secret": true + } + ], + "executables": [ + { + "name": "semgrep", + "constraint": "\u003e= 0.0.0-0" + } + ], + "network": [ + { + "host": "semgrep.dev:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 4 + }, + { + "id": "5", + "name": "trivyfs-scan", + "slug": "trivyfs-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/trivyfs-scan", + "access": { + "executables": [ + { + "name": "trivy", + "constraint": "=\u003e 0.61.0" + } + ], + "network": [ + { + "host": "mirror.gcr.io:443" + }, + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 5 + }, + { + "id": "6", + "name": "zizmor-scan", + "slug": "zizmor-scan", + "stage": "scan", + "scope": "project", + "action": "builtin://actions/zizmor-scan", + "access": { + "env": [ + { + "name": "GH_HOSTNAME", + "description": "GH_HOSTNAME is required for some online audits" + }, + { + "name": "GH_TOKEN", + "description": "GH_TOKEN is required for some online audits. Takes precedence over GITHUB_TOKEN" + }, + { + "name": "GITHUB_TOKEN", + "description": "GITHUB_TOKEN is set automatically by GitHub Actions" + } + ], + "executables": [ + { + "name": "zizmor", + "constraint": "=\u003e 1.4.1" + } + ], + "network": [ + { + "host": "keyserver.ubuntu.com:443" + }, + { + "host": "github.com:443" + }, + { + "host": "api.github.com:443" + }, + { + "host": "codeload.github.com:443" + }, + { + "host": "uploads.github.com:443" + }, + { + "host": "objects.githubusercontent.com:443" + }, + { + "host": "raw.githubusercontent.com:443" + }, + { + "host": "release-assets.githubusercontent.com:443" + }, + { + "host": "ghcr.io:443" + }, + { + "host": "pkg-containers.githubusercontent.com:443" + } + ], + "resources": [ + "security-events" + ] + }, + "inputs": {}, + "outputs": { + "artifacts": [ + { + "type": "report", + "format": "sarif" + } + ] + }, + "order": 6 + } + ] + }, + "workflow_dependency": { + "pkg:github-action-runner-image/ubuntu": { + "id": "ubuntu", + "type": "github-action-runner-image", + "version": "24.04" + }, + "pkg:github-action/actions/checkout": { + "id": "actions/checkout", + "type": "github-action", + "version": "v6.0.2", + "hash": "de0fac2e4500dabe0009e67214ff5f5447ce83dd" + }, + "pkg:github-action/actions/download-artifact": { + "id": "actions/download-artifact", + "type": "github-action", + "version": "v8.0.1", + "hash": "3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c" + }, + "pkg:github-action/actions/upload-artifact": { + "id": "actions/upload-artifact", + "type": "github-action", + "version": "v7.0.1", + "hash": "043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" + }, + "pkg:github-action/step-security/harden-runner": { + "id": "step-security/harden-runner", + "type": "github-action", + "version": "v2.19.3", + "hash": "ab7a9404c0f3da075243ca237b5fac12c98deaa5" + }, + "pkg:github/cidverse/cid": { + "id": "cidverse/cid", + "type": "github", + "version": "0.11.1", + "hash": "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951", + "gpg-fingerprint": "76A4948E69C62589C7B0AB84E414434DF5371FB6" + } + }, + "ignore_files": [ + "README.md", + "LICENSE", + ".gitignore", + ".gitattributes", + ".editorconfig", + "renovate.json", + "CODEOWNERS", + "SECURITY.md" + ] + } + } +} \ No newline at end of file diff --git a/.github/workflows/cid-main.yml b/.github/workflows/cid-main.yml new file mode 100644 index 0000000..130da07 --- /dev/null +++ b/.github/workflows/cid-main.yml @@ -0,0 +1,420 @@ +# cid-workflow-version: 0.11.1 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: 'CI - Main' + +# triggers +on: + workflow_dispatch: + inputs: + loglevel: + description: Log level + required: true + default: info + type: choice + options: + - trace + - debug + - info + - warn + - error + push: + branches: + - main + paths-ignore: + - 'README.md' + - 'LICENSE' + - '.gitignore' + - '.gitattributes' + - '.editorconfig' + - 'renovate.json' + - 'CODEOWNERS' + - 'SECURITY.md' + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # required: detect GitHub Actions runtime environment + checks: none # not required + contents: read # required: read repository content + deployments: none # not required + id-token: none # not required + issues: none # not required + packages: none # not required + pages: none # not required + pull-requests: none # not required + repository-projects: none # not required + security-events: none # not required + statuses: none # not required + +# cancel in progress when a new run starts +concurrency: + group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +env: + CID_WORKFLOW: 'main' + CID_LOGLEVEL: "${{ github.event.inputs.loglevel || 'info' }}" + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: 'block' + +# jobs +jobs: + # go-build [github.com/primelib/primecodegen] + go-build-github-com-primelib-primecodegen: + name: 'go-build [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-build [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "go-build-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-build-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-build-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # go-test [github.com/primelib/primecodegen] + go-test-github-com-primelib-primecodegen: + name: 'go-test [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-test [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "go-test-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-test-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-test-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # golangci-lint [github.com/primelib/primecodegen] + golangci-lint-github-com-primelib-primecodegen: + name: 'golangci-lint [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - golangci-lint [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "golangci-lint-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "golangci-lint-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/golangci-lint-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # gitleaks-scan + gitleaks-scan: + name: 'gitleaks-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - gitleaks-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "gitleaks-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "gitleaks-scan-${{ github.run_id }}" + path: ".dist/gitleaks-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # semgrep-scan + semgrep-scan: + name: 'semgrep-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + semgrep.dev:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - semgrep-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + SEMGREP_RULES: "${{ secrets.SEMGREP_RULES || vars.SEMGREP_RULES }}" + SEMGREP_APP_TOKEN: "${{ secrets.SEMGREP_APP_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "semgrep-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "semgrep-scan-${{ github.run_id }}" + path: ".dist/semgrep-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # trivyfs-scan + trivyfs-scan: + name: 'trivyfs-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + mirror.gcr.io:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - trivyfs-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "trivyfs-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "trivyfs-scan-${{ github.run_id }}" + path: ".dist/trivyfs-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # zizmor-scan + zizmor-scan: + name: 'zizmor-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - zizmor-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GH_HOSTNAME: "${{ secrets.GH_HOSTNAME || vars.GH_HOSTNAME }}" + GH_TOKEN: "${{ secrets.GH_TOKEN || vars.GH_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "main" --step "zizmor-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "zizmor-scan-${{ github.run_id }}" + path: ".dist/zizmor-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true diff --git a/.github/workflows/cid-nightly.yml b/.github/workflows/cid-nightly.yml new file mode 100644 index 0000000..c849ee0 --- /dev/null +++ b/.github/workflows/cid-nightly.yml @@ -0,0 +1,411 @@ +# cid-workflow-version: 0.11.1 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: 'CI - Nightly' + +# triggers +on: + workflow_dispatch: + inputs: + loglevel: + description: Log level + required: true + default: info + type: choice + options: + - trace + - debug + - info + - warn + - error + # cron-based trigger + schedule: + - cron: '14 0 * * 6' + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # required: detect GitHub Actions runtime environment + checks: none # not required + contents: read # required: read repository content + deployments: none # not required + id-token: none # not required + issues: none # not required + packages: none # not required + pages: none # not required + pull-requests: none # not required + repository-projects: none # not required + security-events: none # not required + statuses: none # not required + +# cancel in progress when a new run starts +concurrency: + group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +env: + CID_WORKFLOW: 'main' + CID_LOGLEVEL: "${{ github.event.inputs.loglevel || 'info' }}" + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: 'block' + +# jobs +jobs: + # go-build [github.com/primelib/primecodegen] + go-build-github-com-primelib-primecodegen: + name: 'go-build [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-build [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "go-build-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-build-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-build-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # go-test [github.com/primelib/primecodegen] + go-test-github-com-primelib-primecodegen: + name: 'go-test [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-test [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "go-test-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-test-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-test-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # golangci-lint [github.com/primelib/primecodegen] + golangci-lint-github-com-primelib-primecodegen: + name: 'golangci-lint [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - golangci-lint [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "golangci-lint-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "golangci-lint-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/golangci-lint-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # gitleaks-scan + gitleaks-scan: + name: 'gitleaks-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - gitleaks-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "gitleaks-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "gitleaks-scan-${{ github.run_id }}" + path: ".dist/gitleaks-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # semgrep-scan + semgrep-scan: + name: 'semgrep-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + semgrep.dev:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - semgrep-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + SEMGREP_RULES: "${{ secrets.SEMGREP_RULES || vars.SEMGREP_RULES }}" + SEMGREP_APP_TOKEN: "${{ secrets.SEMGREP_APP_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "semgrep-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "semgrep-scan-${{ github.run_id }}" + path: ".dist/semgrep-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # trivyfs-scan + trivyfs-scan: + name: 'trivyfs-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + mirror.gcr.io:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - trivyfs-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "trivyfs-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "trivyfs-scan-${{ github.run_id }}" + path: ".dist/trivyfs-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # zizmor-scan + zizmor-scan: + name: 'zizmor-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - zizmor-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GH_HOSTNAME: "${{ secrets.GH_HOSTNAME || vars.GH_HOSTNAME }}" + GH_TOKEN: "${{ secrets.GH_TOKEN || vars.GH_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "nightly" --step "zizmor-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "zizmor-scan-${{ github.run_id }}" + path: ".dist/zizmor-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml deleted file mode 100644 index 3313acb..0000000 --- a/.github/workflows/cid-ossf.yml +++ /dev/null @@ -1,82 +0,0 @@ -# cid-workflow-version: 0.0.24 - -# This file is generated by the CID Workflow GitHub App. -# DO NOT EDIT! - -# name -name: CID - OSSF Scorecard -on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '40 23 * * 5' - # Allow manual triggering of the workflow - workflow_dispatch: - -# Read Permissions. See -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions -# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps -permissions: read-all - -# Cancel in progress jobs when a new run starts on the same ref -concurrency: - group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' - cancel-in-progress: true - -jobs: - analysis: - name: OSSF Scorecard Analysis - runs-on: ubuntu-latest - permissions: - id-token: write # needed to publish results - actions: read # required in private repos - contents: read # required in private repos - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: block - allowed-endpoints: >- - api.github.com:443 - cdn01.quay.io:443 - cdn02.quay.io:443 - cdn03.quay.io:443 - codeload.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - proxy.golang.org:443 - quay.io:443 - raw.githubusercontent.com:443 - storage.googleapis.com:443 - sum.golang.org:443 - uploads.github.com:443 - api.securityscorecards.dev:443 - api.scorecard.dev:443 - api.deps.dev:443 - api.osv.dev:443 - www.bestpractices.dev:443 - oss-fuzz-build-logs.storage.googleapis.com:443 - rekor.sigstore.dev:443 - fulcio.sigstore.dev:443 - tuf-repo-cdn.sigstore.dev:443 - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - persist-credentials: false - - name: OSSF Analysis - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 - with: - results_file: results.sarif - results_format: sarif - publish_results: true # publish results to OpenSSF REST API - - name: Upload Analysis Result - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: SARIF file - path: results.sarif - retention-days: 5 diff --git a/.github/workflows/cid-pull-request.yml b/.github/workflows/cid-pull-request.yml new file mode 100644 index 0000000..ee67fd3 --- /dev/null +++ b/.github/workflows/cid-pull-request.yml @@ -0,0 +1,402 @@ +# cid-workflow-version: 0.11.1 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: 'CI - Pull Request' + +# triggers +on: + pull_request: + branches: + - 'main' + paths-ignore: + - 'README.md' + - 'LICENSE' + - '.gitignore' + - '.gitattributes' + - '.editorconfig' + - 'renovate.json' + - 'CODEOWNERS' + - 'SECURITY.md' + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # required: detect GitHub Actions runtime environment + checks: none # not required + contents: read # required: read repository content + deployments: none # not required + id-token: none # not required + issues: none # not required + packages: none # not required + pages: none # not required + pull-requests: none # not required + repository-projects: none # not required + security-events: none # not required + statuses: none # not required + +# cancel in progress when a new run starts +concurrency: + group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +env: + CID_WORKFLOW: 'main' + CID_LOGLEVEL: "${{ github.event.inputs.loglevel || 'info' }}" + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: 'block' + +# jobs +jobs: + # go-build [github.com/primelib/primecodegen] + go-build-github-com-primelib-primecodegen: + name: 'go-build [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-build [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "go-build-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-build-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-build-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # go-test [github.com/primelib/primecodegen] + go-test-github-com-primelib-primecodegen: + name: 'go-test [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-test [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "go-test-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-test-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-test-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # golangci-lint [github.com/primelib/primecodegen] + golangci-lint-github-com-primelib-primecodegen: + name: 'golangci-lint [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - golangci-lint [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "golangci-lint-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "golangci-lint-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/golangci-lint-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # gitleaks-scan + gitleaks-scan: + name: 'gitleaks-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - gitleaks-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "gitleaks-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "gitleaks-scan-${{ github.run_id }}" + path: ".dist/gitleaks-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # semgrep-scan + semgrep-scan: + name: 'semgrep-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + semgrep.dev:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - semgrep-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + SEMGREP_RULES: "${{ secrets.SEMGREP_RULES || vars.SEMGREP_RULES }}" + SEMGREP_APP_TOKEN: "${{ secrets.SEMGREP_APP_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "semgrep-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "semgrep-scan-${{ github.run_id }}" + path: ".dist/semgrep-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # trivyfs-scan + trivyfs-scan: + name: 'trivyfs-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + mirror.gcr.io:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - trivyfs-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "trivyfs-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "trivyfs-scan-${{ github.run_id }}" + path: ".dist/trivyfs-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # zizmor-scan + zizmor-scan: + name: 'zizmor-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - zizmor-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GH_HOSTNAME: "${{ secrets.GH_HOSTNAME || vars.GH_HOSTNAME }}" + GH_TOKEN: "${{ secrets.GH_TOKEN || vars.GH_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "pull-request" --step "zizmor-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "zizmor-scan-${{ github.run_id }}" + path: ".dist/zizmor-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml deleted file mode 100644 index 4af3af6..0000000 --- a/.github/workflows/cid-pullrequest.yml +++ /dev/null @@ -1,235 +0,0 @@ -# cid-workflow-version: 0.0.24 - -# This file is generated by the CID Workflow GitHub App. -# DO NOT EDIT! - -# name -name: CID - PullRequest - -# triggers -on: - workflow_dispatch: - inputs: - loglevel: - description: Log level - required: true - default: info - type: choice - options: - - debug - - info - - warn - - error - pull_request: - branches: - - main - paths-ignore: - - README.md - - LICENSE - - .gitignore - - .editorconfig - - renovate.json - -# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps -permissions: - actions: read # detection of GitHub Actions environment - checks: none - contents: read - deployments: none - id-token: none - issues: none - packages: none - pages: none - pull-requests: none - repository-projects: none - security-events: none - statuses: none - -# cancel in progress when a new run starts -concurrency: - group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' - cancel-in-progress: true - -env: - CID_WORKFLOW: main - CID_VERSION: latest - CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} - # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. - EGRESS_POLICY: block - # allowed endpoints for egress traffic if egress-policy is set to 'block'. - EGRESS_POLICY_ALLOWED_ENDPOINTS: >- - api.github.com:443 - cdn01.quay.io:443 - cdn02.quay.io:443 - cdn03.quay.io:443 - codeload.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - proxy.golang.org:443 - quay.io:443 - raw.githubusercontent.com:443 - storage.googleapis.com:443 - sum.golang.org:443 - uploads.github.com:443 - EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- - api.sonarcloud.io:443 - scanner.sonarcloud.io:443 - semgrep.dev:443 - sonarcloud.io:443 - EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- - -# jobs -jobs: - # info - info: - name: Info - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - timeout-minutes: 30 - if: ${{ github.event.inputs.loglevel == 'debug' }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: info - env: - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - echo "> project modules" - cid --log-level=${CID_LOGLEVEL:-info} module ls - echo "> catalog" - cid --log-level=${CID_LOGLEVEL:-info} catalog list - echo "> workflows" - cid --log-level=${CID_LOGLEVEL:-info} workflow ls - # build - build: - name: Build - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - permissions: - id-token: write # provenance signing - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: build - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: build-${{ github.run_id }} - path: .dist - retention-days: 1 - if-no-files-found: ignore - - # test - test: - name: Test - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: test - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: test-${{ github.run_id }} - path: .dist - retention-days: 1 - if-no-files-found: ignore - # scan - scan: - name: Scan - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - needs: [build, test] - permissions: - security-events: write - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: download artifacts > build - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: build-${{ github.run_id }} - path: .dist - continue-on-error: true - - name: download artifacts > test - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: test-${{ github.run_id }} - path: .dist - continue-on-error: true - - name: scan - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan diff --git a/.github/workflows/cid-release.yml b/.github/workflows/cid-release.yml new file mode 100644 index 0000000..64ec1ae --- /dev/null +++ b/.github/workflows/cid-release.yml @@ -0,0 +1,479 @@ +# cid-workflow-version: 0.11.1 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: 'CI - Release' + +# triggers +on: + workflow_dispatch: + inputs: + loglevel: + description: Log level + required: true + default: info + type: choice + options: + - trace + - debug + - info + - warn + - error + push: + tags: + - v[0-9]+.[0-9]+.[0-9]+ + paths-ignore: + - 'README.md' + - 'LICENSE' + - '.gitignore' + - '.gitattributes' + - '.editorconfig' + - 'renovate.json' + - 'CODEOWNERS' + - 'SECURITY.md' + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # required: detect GitHub Actions runtime environment + checks: none # not required + contents: read # required: read repository content + deployments: none # not required + id-token: none # not required + issues: none # not required + packages: none # not required + pages: none # not required + pull-requests: none # not required + repository-projects: none # not required + security-events: none # not required + statuses: none # not required + +# cancel in progress when a new run starts +concurrency: + group: "${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +env: + CID_WORKFLOW: 'main' + CID_LOGLEVEL: "${{ github.event.inputs.loglevel || 'info' }}" + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: 'block' + +# jobs +jobs: + # go-build [github.com/primelib/primecodegen] + go-build-github-com-primelib-primecodegen: + name: 'go-build [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-build [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "go-build-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-build-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-build-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # go-test [github.com/primelib/primecodegen] + go-test-github-com-primelib-primecodegen: + name: 'go-test [github.com/primelib/primecodegen]' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + proxy.golang.org:443 + storage.googleapis.com:443 + sum.golang.org:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - go-test [github.com/primelib/primecodegen] + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "go-test-github-com-primelib-primecodegen" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "go-test-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-test-github-com-primelib-primecodegen/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # gitleaks-scan + gitleaks-scan: + name: 'gitleaks-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - gitleaks-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "gitleaks-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "gitleaks-scan-${{ github.run_id }}" + path: ".dist/gitleaks-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # semgrep-scan + semgrep-scan: + name: 'semgrep-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + semgrep.dev:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - semgrep-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + SEMGREP_RULES: "${{ secrets.SEMGREP_RULES || vars.SEMGREP_RULES }}" + SEMGREP_APP_TOKEN: "${{ secrets.SEMGREP_APP_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "semgrep-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "semgrep-scan-${{ github.run_id }}" + path: ".dist/semgrep-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # trivyfs-scan + trivyfs-scan: + name: 'trivyfs-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + mirror.gcr.io:443 + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - trivyfs-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "trivyfs-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "trivyfs-scan-${{ github.run_id }}" + path: ".dist/trivyfs-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # zizmor-scan + zizmor-scan: + name: 'zizmor-scan' + runs-on: ubuntu-24.04 + permissions: + id-token: write # provenance signing + security-events: write # required: upload security events + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - zizmor-scan + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + GH_HOSTNAME: "${{ secrets.GH_HOSTNAME || vars.GH_HOSTNAME }}" + GH_TOKEN: "${{ secrets.GH_TOKEN || vars.GH_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "zizmor-scan" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "zizmor-scan-${{ github.run_id }}" + path: ".dist/zizmor-scan/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # changelog-generate + changelog-generate: + name: 'changelog-generate' + runs-on: ubuntu-24.04 + needs: [gitleaks-scan, go-build-github-com-primelib-primecodegen, go-test-github-com-primelib-primecodegen, semgrep-scan, trivyfs-scan, zizmor-scan] + permissions: + id-token: write # provenance signing + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Action - changelog-generate + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "changelog-generate" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "changelog-generate-${{ github.run_id }}" + path: ".dist/changelog-generate/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true + # github-release-publish + github-release-publish: + name: 'github-release-publish' + runs-on: ubuntu-24.04 + needs: [changelog-generate, gitleaks-scan, go-build-github-com-primelib-primecodegen, go-test-github-com-primelib-primecodegen, semgrep-scan, trivyfs-scan, zizmor-scan] + permissions: + id-token: write # provenance signing + contents: write # required: create release + timeout-minutes: 10 + steps: + - name: Harden Runner + uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3 + with: + disable-telemetry: true + egress-policy: "${{ env.EGRESS_POLICY }}" + allowed-endpoints: >- + keyserver.ubuntu.com:443 + github.com:443 + api.github.com:443 + codeload.github.com:443 + uploads.github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + release-assets.githubusercontent.com:443 + ghcr.io:443 + pkg-containers.githubusercontent.com:443 + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + persist-credentials: false + - name: Prepare Tooling + shell: bash + run: bash .cid/scripts/install.sh "0.11.1" "f565bcbfff61d8e242a2cd541842a695a0cea7ff585260400898404b93332951" "76A4948E69C62589C7B0AB84E414434DF5371FB6" + - name: Download Inputs > changelog-generate + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: "changelog-generate-${{ github.run_id }}" + path: ".dist/changelog-generate" + continue-on-error: true + - name: Download Inputs > go-build-github-com-primelib-primecodegen + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 + with: + name: "go-build-github-com-primelib-primecodegen-${{ github.run_id }}" + path: ".dist/go-build-github-com-primelib-primecodegen" + continue-on-error: true + - name: Action - github-release-publish + env: + CID_WORKFLOW: "${{ env.CID_WORKFLOW }}" + CID_LOGLEVEL: "${{ env.CID_LOGLEVEL }}" + GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" + run: | + cid --log-level=${CID_LOGLEVEL:-info} plan execute --state-file ".cid/state-github.json" --state-wf-name "release" --step "github-release-publish" + - name: Upload Outputs + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: "github-release-publish-${{ github.run_id }}" + path: ".dist/github-release-publish/" + retention-days: 1 + if-no-files-found: ignore + compression-level: 6 + include-hidden-files: true diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml deleted file mode 100644 index 95b9ace..0000000 --- a/.github/workflows/cid.yml +++ /dev/null @@ -1,327 +0,0 @@ -# cid-workflow-version: 0.0.24 - -# This file is generated by the CID Workflow GitHub App. -# DO NOT EDIT! - -# name -name: CID - DefaultBranch - -# triggers -on: - workflow_dispatch: - inputs: - loglevel: - description: Log level - required: true - default: info - type: choice - options: - - debug - - info - - warn - - error - push: - branches: - - main - tags: - - v*.*.* - paths-ignore: - - README.md - - LICENSE - - .gitignore - - .editorconfig - - renovate.json - -# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps -permissions: - actions: read # detection of GitHub Actions environment - checks: none - contents: read - deployments: none - id-token: none - issues: none - packages: none - pages: none - pull-requests: none - repository-projects: none - security-events: none - statuses: none - -# cancel in progress when a new run starts -concurrency: - group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' - cancel-in-progress: true - -env: - CID_WORKFLOW: main - CID_VERSION: latest - CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} - # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. - EGRESS_POLICY: block - # allowed endpoints for egress traffic if egress-policy is set to 'block'. - EGRESS_POLICY_ALLOWED_ENDPOINTS: >- - api.github.com:443 - cdn01.quay.io:443 - cdn02.quay.io:443 - cdn03.quay.io:443 - codeload.github.com:443 - github.com:443 - objects.githubusercontent.com:443 - proxy.golang.org:443 - quay.io:443 - raw.githubusercontent.com:443 - storage.googleapis.com:443 - sum.golang.org:443 - uploads.github.com:443 - EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- - api.sonarcloud.io:443 - scanner.sonarcloud.io:443 - semgrep.dev:443 - sonarcloud.io:443 - EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" - EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- - -# jobs -jobs: - # info - info: - name: Info - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - timeout-minutes: 30 - if: ${{ github.event.inputs.loglevel == 'debug' }} - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: info - env: - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - echo "> project modules" - cid --log-level=${CID_LOGLEVEL:-info} module ls - echo "> catalog" - cid --log-level=${CID_LOGLEVEL:-info} catalog list - echo "> workflows" - cid --log-level=${CID_LOGLEVEL:-info} workflow ls - # build - build: - name: Build - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - permissions: - id-token: write # provenance signing - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: build - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build - - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: build-${{ github.run_id }} - path: .dist - retention-days: 1 - if-no-files-found: ignore - - # test - test: - name: Test - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: test - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test - - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: test-${{ github.run_id }} - path: .dist - retention-days: 1 - if-no-files-found: ignore - # scan - scan: - name: Scan - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - needs: [build, test] - permissions: - security-events: write - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: download artifacts > build - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: build-${{ github.run_id }} - path: .dist - continue-on-error: true - - name: download artifacts > test - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: test-${{ github.run_id }} - path: .dist - continue-on-error: true - - name: scan - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan - # package - package: - name: Package - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - needs: [build] - permissions: - id-token: write # provenance signing - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: download artifacts > build - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: build-${{ github.run_id }} - path: .dist - continue-on-error: true - - name: package - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package - - name: upload artifacts - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: package-${{ github.run_id }} - path: .dist - retention-days: 1 - if-no-files-found: ignore - # publish - publish: - name: Publish - runs-on: ubuntu-22.04 # https://github.com/actions/runner-images - needs: [package, scan] - permissions: - # create release - contents: write - # publish packages - packages: write - if: startsWith(github.ref, 'refs/pull/') == false - timeout-minutes: 30 - steps: - - name: Harden Runner - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 - with: - disable-telemetry: true - disable-sudo: true - egress-policy: ${{ env.EGRESS_POLICY }} - allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }} - - name: prepare environment - uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 - with: - version: ${{ env.CID_VERSION }} - - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: download artifacts > package - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - name: package-${{ github.run_id }} - path: .dist - continue-on-error: true - - name: publish - env: - CID_WORKFLOW: ${{ env.CID_WORKFLOW }} - CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - MAVEN_REPO_URL: ${{ secrets.MAVEN_REPO_URL }} - MAVEN_REPO_USERNAME: ${{ secrets.MAVEN_REPO_USERNAME }} - MAVEN_REPO_PASSWORD: ${{ secrets.MAVEN_REPO_PASSWORD }} - MAVEN_GPG_SIGN_PRIVATEKEY: ${{ secrets.MAVEN_GPG_SIGN_PRIVATEKEY }} - MAVEN_GPG_SIGN_PASSWORD: ${{ secrets.MAVEN_GPG_SIGN_PASSWORD }} - MAVEN_GPG_SIGN_KEYID: ${{ secrets.MAVEN_GPG_SIGN_KEYID }} - run: | - cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish