diff --git a/.github/workflows/check-links.yaml b/.github/workflows/check-links.yaml deleted file mode 100644 index be2dfc6..0000000 --- a/.github/workflows/check-links.yaml +++ /dev/null @@ -1,41 +0,0 @@ -name: check links - -on: - repository_dispatch: - workflow_dispatch: - schedule: - - cron: "00 18 * * *" - -permissions: read-all - -jobs: - check-links: - runs-on: ubuntu-22.04 - permissions: - issues: write - steps: - - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - - name: Link Checker - id: lychee - uses: lycheeverse/lychee-action@ec3ed119d4f44ad2673a7232460dc7dff59d2421 # v1.8.0 - with: - args: "--config=.lychee.toml ." - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - - name: Look for an existing issue - id: last-issue - uses: micalevisk/last-issue-action@305829d9728f47beb0029417167a0af890edfd6e # v2.1.0 - with: - state: open - labels: link-check - - - name: Create Issue From File - if: ${{ steps.lychee.outputs.exit_code != 0 }} - uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # tag=v4.0.1 - with: - title: Link Checker Report - content-filepath: ./lychee/out.md - issue-number: ${{ steps.last-issue.outputs.issue-number }} - labels: report, automated issue, link-check diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ef2a54e..bfd8480 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -8,65 +8,66 @@ on: pull_request: branches: [master] -# Declare default permissions as read only. permissions: read-all jobs: build: - name: Build - runs-on: ubuntu-20.04 + uses: miracum/.github/.github/workflows/standard-build.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0 permissions: - packages: write contents: read + id-token: write + packages: write + pull-requests: write + actions: read + security-events: write + with: + enable-build-test-layer: true + enable-upload-test-image: true + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} + + test: + runs-on: ubuntu-22.04 + needs: + - build + permissions: + # for add Coverage PR Comment pull-requests: write - outputs: - image-tags: ${{ steps.container_meta.outputs.tags }} - image-version: ${{ steps.container_meta.outputs.version }} - image-digest: ${{ steps.build.outputs.digest }} steps: - - name: Container meta - id: container_meta - uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4 + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: - images: | - ghcr.io/${{ github.repository }} + persist-credentials: false - - name: Container meta for the unit test image - id: container_tests_meta - uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4 + - name: Download image + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + if: ${{ github.event_name == 'pull_request' }} with: - images: | - ghcr.io/${{ github.repository }}-tests - - - name: Set up QEMU - uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2 + name: container-image + path: /tmp - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 + - name: Load image + if: ${{ github.event_name == 'pull_request' }} + run: | + ls -lsa /tmp + docker load --input /tmp/image.tar + docker image ls - - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - if: ${{ github.event_name != 'pull_request' }} + - name: Download test image + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + name: test-image + path: /tmp - # ran first to avoid pushing failing images when running on master. - - name: Run unit tests - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3 - with: - push: false - load: true - tags: ${{ steps.container_tests_meta.outputs.tags }} - labels: ${{ steps.container_tests_meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - target: test + - name: Load test image + run: | + ls -lsa /tmp + docker load --input /tmp/image-test.tar + docker image ls - - name: Copy unit test coverage reports from container + - name: Copy unit test coverage reports from test container env: - UNIT_TEST_IMAGE: ${{ fromJson(steps.container_tests_meta.outputs.json).tags[0] }} + UNIT_TEST_IMAGE: ${{ fromJson(needs.build.outputs.test-image-meta-json).tags[0] }} run: | docker create --name=unit-test-container "${UNIT_TEST_IMAGE}" docker cp unit-test-container:/build/src/FhirPseudonymizer.Tests/coverage ./coverage @@ -84,33 +85,6 @@ jobs: output: both thresholds: "50 50" - - name: Get platforms to build - id: platforms - run: | - if [ "$IS_PULL_REQUEST" == "true" ]; then - echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT" - else - # echo "{platforms}={linux/amd64,linux/arm64,linux/arm/v7}" >> "$GITHUB_OUTPUT" - # disabled multi-arch builds for now due to - # Error: buildx failed with: ERROR: failed to solve: mcr.microsoft.com/dotnet/nightly/aspnet:6.0.9-jammy-chiseled@sha256:e5288b0e7f80b278d8baa15e9f444ccb4cc0cd4caa6e9cc87782cbd2a3805a49: - # no match for platform in manifest sha256:e5288b0e7f80b278d8baa15e9f444ccb4cc0cd4caa6e9cc87782cbd2a3805a49: not found - echo "{platforms}={linux/amd64}" >> "$GITHUB_OUTPUT" - fi - env: - IS_PULL_REQUEST: ${{ github.event_name == 'pull_request' }} - - - name: Build and push image - id: build - uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3 - with: - load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.container_meta.outputs.tags }} - labels: ${{ steps.container_meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - platforms: ${{ steps.platforms.outputs.platforms }} - - name: Add Coverage PR Comment uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 if: ${{ github.event_name == 'pull_request' }} @@ -118,22 +92,7 @@ jobs: recreate: true path: code-coverage-results.md - - name: Save container image as tar archives - if: ${{ github.event_name == 'pull_request' }} - env: - IMAGE: ${{ fromJson(steps.container_meta.outputs.json).tags[0] }} - run: | - docker save "$IMAGE" -o /tmp/image.tar - - - name: Upload container image - if: ${{ github.event_name == 'pull_request' }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: container-image - path: | - /tmp/image.tar - - run-iter8-tests: + iter8-test: name: run iter8 tests runs-on: ubuntu-22.04 if: ${{ github.event_name == 'pull_request' }} @@ -160,7 +119,7 @@ jobs: with: cluster_name: kind - - name: Download container images + - name: Download image uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: container-image @@ -248,78 +207,29 @@ jobs: path: | kind-cluster-dump.txt - release: - needs: build - name: Release - runs-on: ubuntu-22.04 + lint: + uses: miracum/.github/.github/workflows/standard-lint.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0 permissions: - contents: write + contents: read pull-requests: write - if: ${{ github.event_name != 'pull_request' }} - steps: - - name: Checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - with: - # via - persist-credentials: false - - # Only required temporary: https://github.com/cycjimmy/semantic-release-action/issues/159 - - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 - with: - node-version: 14 - - - name: Semantic Release - uses: cycjimmy/semantic-release-action@8e58d20d0f6c8773181f43eb74d6a05e3099571d # v3.4.2 - with: - extra_plugins: | - conventional-changelog-conventionalcommits@5.0.0 - semantic-release-replace-plugin@1.2.0 - @semantic-release/git@10.0.1 - env: - GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_TOKEN }} - - container-provenance: - if: ${{ startsWith(github.ref, 'refs/tags/') }} - needs: - - build - permissions: - actions: read # for detecting the Github Actions environment. - id-token: write - packages: write # for uploading attestations. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0 + issues: write + security-events: write + actions: read with: - image: ghcr.io/${{ github.repository }} - digest: ${{ needs.build.outputs.image-digest }} - registry-username: ${{ github.actor }} + enable-validate-gradle-wrapper: false + codeql-languages: '["csharp"]' + enable-codeql: true secrets: - registry-password: ${{ secrets.GITHUB_TOKEN }} + github-token: ${{ secrets.GITHUB_TOKEN }} - sign-images: - name: sign images - runs-on: ubuntu-22.04 - if: ${{ github.event_name != 'pull_request' }} + release: + uses: miracum/.github/.github/workflows/standard-release.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0 needs: - build + - test permissions: - contents: read - id-token: write - packages: write - steps: - - name: Login to GitHub Container Registry - uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2 - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Install Cosign - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 - - # via - - name: Sign image - env: - # - TAGS: ${{ needs.build.outputs.image-tags }} - DIGEST: ${{ needs.build.outputs.image-digest }} - run: | - echo "${TAGS}" | xargs -I {} cosign sign --yes {}@"${DIGEST}" + contents: write + pull-requests: write + issues: write + secrets: + semantic-release-token: ${{ secrets.MIRACUM_BOT_SEMANTIC_RELEASE_TOKEN }} diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml deleted file mode 100644 index 920761c..0000000 --- a/.github/workflows/codeql.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL" - -on: - push: - branches: ["master"] - pull_request: - # The branches below must be a subset of the branches above - branches: ["master"] - schedule: - - cron: "24 8 * * 4" - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["csharp"] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - - name: Install .NET - uses: actions/setup-dotnet@3447fd6a9f9e57506b15f895c5b76d3b197dc7c2 # v3 - with: - dotnet-version: "7.0.x" - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/daily-trivy-scan.yaml b/.github/workflows/daily-trivy-scan.yaml deleted file mode 100644 index b05ab89..0000000 --- a/.github/workflows/daily-trivy-scan.yaml +++ /dev/null @@ -1,30 +0,0 @@ -name: scan -on: - schedule: - - cron: "0 2 * * *" - -# Declare default permissions as read only. -permissions: read-all - -jobs: - scan: - name: Scan - runs-on: ubuntu-22.04 - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - steps: - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # 0.12.0 - with: - image-ref: "ghcr.io/miracum/fhir-pseudonymizer:latest" - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2 - with: - sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/dependency-review.yaml b/.github/workflows/dependency-review.yaml deleted file mode 100644 index 957368a..0000000 --- a/.github/workflows/dependency-review.yaml +++ /dev/null @@ -1,15 +0,0 @@ -name: "Dependency Review" - -on: - pull_request: {} - -permissions: read-all - -jobs: - dependency-review: - runs-on: ubuntu-22.04 - steps: - - name: "Checkout Repository" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - name: "Dependency Review" - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2 diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml deleted file mode 100644 index 4fa52c2..0000000 --- a/.github/workflows/mega-linter.yml +++ /dev/null @@ -1,59 +0,0 @@ ---- -# MegaLinter GitHub Action configuration file -# More info at https://oxsecurity.github.io/megalinter -name: MegaLinter - -on: - # Trigger mega-linter at every push. Action will also be visible from Pull Requests to master - pull_request: - branches: [master] - -permissions: read-all - -env: # Comment env block if you do not want to apply fixes - # Apply linter fixes configuration - APPLY_FIXES: none # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool) - APPLY_FIXES_EVENT: pull_request # Decide which event triggers application of fixes in a commit or a PR (pull_request, push, all) - APPLY_FIXES_MODE: commit # If APPLY_FIXES is used, defines if the fixes are directly committed (commit) or posted in a PR (pull_request) - -concurrency: - group: ${{ github.ref }}-${{ github.workflow }} - cancel-in-progress: true - -jobs: - build: - name: MegaLinter - runs-on: ubuntu-22.04 - permissions: - contents: read - pull-requests: write - steps: - # Git Checkout - - name: Checkout Code - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - with: - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 0 # If you use VALIDATE_ALL_CODEBASE = true, you can remove this line to improve performances - - # MegaLinter - - name: MegaLinter - id: ml - # You can override MegaLinter flavor used to have faster performances - # More info at https://oxsecurity.github.io/megalinter/flavors/ - uses: oxsecurity/megalinter@a87b2872713c6bdde46d2473c5d7ed23e5752dc2 # v7.4.0 - env: - # All available variables are described in documentation - # https://oxsecurity.github.io/megalinter/configuration/ - VALIDATE_ALL_CODEBASE: "true" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # ADD YOUR CUSTOM ENV VARIABLES HERE TO OVERRIDE VALUES OF .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY - - # Upload MegaLinter artifacts - - name: Archive production artifacts - if: ${{ always() }} - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: MegaLinter reports - path: | - megalinter-reports - mega-linter.log diff --git a/.github/workflows/schedule.yaml b/.github/workflows/schedule.yaml new file mode 100644 index 0000000..f057d96 --- /dev/null +++ b/.github/workflows/schedule.yaml @@ -0,0 +1,19 @@ +name: scheduled + +on: + repository_dispatch: {} + workflow_dispatch: {} + schedule: + - cron: "00 18 * * *" + +permissions: read-all + +jobs: + schedule: + uses: miracum/.github/.github/workflows/standard-schedule.yaml@1dd4350bc909156d8af0f1997efcb0f3225dad85 # v1.1.0 + permissions: + contents: read + issues: write + security-events: write + secrets: + github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/scorecards.yaml b/.github/workflows/scorecards.yaml index c88ff18..5e56d9f 100644 --- a/.github/workflows/scorecards.yaml +++ b/.github/workflows/scorecards.yaml @@ -4,6 +4,7 @@ name: Scorecards supply-chain security on: + workflow_dispatch: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: @@ -37,7 +38,7 @@ jobs: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 with: results_file: results.sarif results_format: sarif diff --git a/.lgtm.yml b/.lgtm.yml deleted file mode 100644 index 903b31b..0000000 --- a/.lgtm.yml +++ /dev/null @@ -1,5 +0,0 @@ -extraction: - csharp: - index: - dotnet: - version: 6.0.100 diff --git a/Dockerfile b/Dockerfile index f60dd70..d9c4f81 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,7 @@ RUN dotnet publish \ -o /build/publish \ src/FhirPseudonymizer/FhirPseudonymizer.csproj -FROM build AS test +FROM build AS build-test WORKDIR /build/src/FhirPseudonymizer.Tests RUN dotnet test \ --configuration=Release \ @@ -33,6 +33,11 @@ RUN dotnet test \ -l "console;verbosity=detailed" \ --settings=runsettings.xml +FROM scratch AS test +WORKDIR /build/src/FhirPseudonymizer.Tests/coverage +COPY --from=build-test /build/src/FhirPseudonymizer.Tests/coverage . +ENTRYPOINT [ "true" ] + FROM build AS build-stress-test WORKDIR /build/src/FhirPseudonymizer.StressTests RUN <