diff --git a/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml b/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml deleted file mode 100644 index a5480784..00000000 --- a/.github/workflows/ci-main-pull-request-stub-trufflehog-only.yml +++ /dev/null @@ -1,45 +0,0 @@ -# This stub runs only the TruffleHog scan as part of CI checks on pull requests to main branch. - -name: CI Pull Request – TruffleHog Only - -on: - pull_request: - branches: [ main ] - push: - branches: [ main ] - - workflow_dispatch: - -permissions: - contents: read - -jobs: - call-ci-main-pr-check-pipeline: - uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main - secrets: inherit - permissions: - id-token: write - contents: read - with: - visibility: ${{ github.event.repository.visibility }} - - # Enabled features - perform-trufflehog-scan: true - generate-sbom: true - export-github-sbom: true - - # All other features - perform-complexity-checks: false - perform-language-linting: false - perform-blackduck-polaris: false - perform-blackduck-sca-scan: false - build: false - unit-tests: false - perform-sonarqube-scan: false - report-to-atlassian-dashboard: false - package-binaries: false - habitat-build: false - publish-packages: false - generate-blackduck-sbom: false - generate-msft-sbom: false - license_scout: false \ No newline at end of file diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml new file mode 100644 index 00000000..abe0eaa6 --- /dev/null +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -0,0 +1,103 @@ +# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for Train Main Branch +# inputs are described in the chef/common-github-actions/ with same name as this stub +# +# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN + +name: CI Pull Request on Train Main Branch + +on: + pull_request: + branches: [ main, release/** ] + push: + branches: [ main, release/** ] + + workflow_dispatch: + +permissions: + contents: read + +env: + STUB_VERSION: "3.13.4" + +jobs: + echo_version: + name: 'Echo stub version' + runs-on: ubuntu-latest + steps: + - name: echo version of stub and inputs + run: | + echo "CI main pull request stub version $STUB_VERSION" + + call-ci-train-main-pr-check-pipeline: + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + secrets: inherit + permissions: + id-token: write + contents: read + + with: + visibility: ${{ github.event.repository.visibility }} # private, public, or internal + # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* + + # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" + # version: '4.19.0' # ${{ github.event.repository.version }} + detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" + detect-version-source-parameter: '' # use for file name + language: 'ruby' # options include "autodetect", "ruby", "go", "node", "python", "java", "dotnet", "c/c++", "other" + + # complexity-checks + perform-complexity-checks: true + # scc-output-filename: 'scc-output.txt' + perform-language-linting: false # Perform language-specific linting and pre-compilation checks + + # trufflehog secret scanning + perform-trufflehog-scan: true + + # ADDED TRIVY SCAN + perform-trivy-scan: true + + # BlackDuck SAST (Polaris) and SCA scans (requires a build or download to do SAST) + # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN + perform-blackduck-polaris: true + polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other + polaris-project-name: 'train' + # polaris-blackduck-executable: 'path/to/blackduck/binary' + # polaris-executable-detect-path: 'path/to/detect' + + # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language + build: true + # ga-build-profile: $chef-ga-build-profile + # language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA + unit-tests: false + + # perform SonarQube scan, with or wihout unit test coverage data + # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) + perform-sonarqube-scan: false + # perform-sonar-build: true + # build-profile: 'default' + # report-unit-test-coverage: true + + # report to central developer dashboard + report-to-atlassian-dashboard: false + # quality-product-name: 'Chef-client' # product name for quality reporting, like Chef360, Courier, Inspec + quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec + # quality-sonar-app-name: 'YourSonarAppName' + # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security + # quality-service-name: 'YourServiceOrRepoName' + # quality-junit-report: 'path/to/junit/report'' + + # perform native and Habitat packaging, publish to package repositories + package-binaries: false # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA) + habitat-build: false # Create Habitat packages + publish-packages: false # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores) + + # generate and export Software Bill of Materials (SBOM) in various formats + generate-sbom: true + export-github-sbom: true # SPDX JSON artifact on job instance + perform-blackduck-sca-scan: true # Enabled for SBOM generation with Gemfile.lock + blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services' + blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name + generate-blackduck-sbom: true # Enabled for SCA SBOM + + generate-msft-sbom: false + license_scout: false # Run license scout for license compliance (uses .license_scout.yml) diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 00000000..c4093427 --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,318 @@ +PATH + remote: . + specs: + train (3.13.4) + activesupport (~> 7.2, >= 7.2.2.1) + azure_graph_rbac (~> 0.16) + azure_mgmt_key_vault (~> 0.17) + azure_mgmt_resources (~> 0.15) + azure_mgmt_security (~> 0.18) + azure_mgmt_storage (~> 0.18) + docker-api (>= 1.26, < 3.0) + google-apis-admin_directory_v1 (~> 0.46.0) + google-apis-cloudkms_v1 (~> 0.41.0) + google-apis-cloudresourcemanager_v1 (~> 0.35.0) + google-apis-compute_v1 (~> 0.83.0) + google-apis-iam_v1 (~> 0.50.0) + google-apis-monitoring_v3 (~> 0.51.0) + google-apis-storage_v1 (~> 0.30.0) + googleauth (>= 0.16.2, < 1.9.0) + inifile (~> 3.0) + ostruct (~> 0.1.0) + train-core (= 3.13.4) + train-winrm (~> 0.4.0) + train-core (3.13.4) + addressable (~> 2.5) + ffi (~> 1.16.0) + json (>= 1.8, < 3.0) + mixlib-shellout (>= 2.0, < 4.0) + net-scp (>= 1.2, < 5.0) + net-ssh (>= 2.9, < 8.0) + +PATH + remote: test/fixtures/plugins/train-test-fixture + specs: + train-test-fixture (0.1.0) + +GEM + remote: https://rubygems.org/ + specs: + activesupport (7.2.2.1) + base64 + benchmark (>= 0.3) + bigdecimal + concurrent-ruby (~> 1.0, >= 1.3.1) + connection_pool (>= 2.2.5) + drb + i18n (>= 1.6, < 2) + logger (>= 1.4.2) + minitest (>= 5.1) + securerandom (>= 0.3) + tzinfo (~> 2.0, >= 2.0.5) + addressable (2.8.7) + public_suffix (>= 2.0.2, < 7.0) + ast (2.4.3) + azure_graph_rbac (0.17.2) + ms_rest_azure (~> 0.12.0) + azure_mgmt_key_vault (0.17.7) + ms_rest_azure (~> 0.12.0) + azure_mgmt_resources (0.18.2) + ms_rest_azure (~> 0.12.0) + azure_mgmt_security (0.19.0) + ms_rest_azure (~> 0.12.0) + azure_mgmt_storage (0.23.0) + ms_rest_azure (~> 0.12.0) + base64 (0.3.0) + bcrypt_pbkdf (1.1.1) + bcrypt_pbkdf (1.1.1-arm64-darwin) + bcrypt_pbkdf (1.1.1-x86_64-darwin) + benchmark (0.4.1) + bigdecimal (3.2.2) + builder (3.3.0) + byebug (12.0.0) + chef-gyoku (1.5.0) + builder (>= 2.1.2) + rexml (~> 3.4) + chef-utils (18.7.10) + concurrent-ruby + chef-winrm (2.4.4) + builder (>= 2.1.2) + chef-gyoku (~> 1.5) + erubi (~> 1.8) + gssapi (~> 1.2) + httpclient (~> 2.2, >= 2.2.0.2) + logging (>= 1.6.1, < 3.0) + nori (= 2.7.0) + rexml (~> 3.3) + rubyntlm (~> 0.6.0, >= 0.6.3) + chef-winrm-elevated (1.2.5) + chef-winrm (>= 2.3.11) + chef-winrm-fs (>= 1.3.7) + erubi (~> 1.8) + chef-winrm-fs (1.4.1) + benchmark (~> 0.4.0) + chef-winrm (~> 2.4) + csv (~> 3.3) + erubi (>= 1.7) + logging (>= 1.6.1, < 3.0) + rubyzip (~> 2.0) + chefstyle (2.2.3) + rubocop (= 1.25.1) + coderay (1.1.3) + concurrent-ruby (1.3.5) + connection_pool (2.5.3) + csv (3.3.5) + declarative (0.0.20) + docile (1.4.1) + docker-api (2.4.0) + excon (>= 0.64.0) + multi_json + domain_name (0.6.20240107) + drb (2.2.3) + ed25519 (1.4.0) + erubi (1.13.1) + excon (1.2.7) + logger + faraday (1.10.4) + faraday-em_http (~> 1.0) + faraday-em_synchrony (~> 1.0) + faraday-excon (~> 1.1) + faraday-httpclient (~> 1.0) + faraday-multipart (~> 1.0) + faraday-net_http (~> 1.0) + faraday-net_http_persistent (~> 1.0) + faraday-patron (~> 1.0) + faraday-rack (~> 1.0) + faraday-retry (~> 1.0) + ruby2_keywords (>= 0.0.4) + faraday-cookie_jar (0.0.7) + faraday (>= 0.8.0) + http-cookie (~> 1.0.0) + faraday-em_http (1.0.0) + faraday-em_synchrony (1.0.1) + faraday-excon (1.1.0) + faraday-httpclient (1.0.1) + faraday-multipart (1.1.1) + multipart-post (~> 2.0) + faraday-net_http (1.0.2) + faraday-net_http_persistent (1.2.0) + faraday-patron (1.0.0) + faraday-rack (1.0.0) + faraday-retry (1.0.3) + ffi (1.16.3) + google-apis-admin_directory_v1 (0.46.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-cloudkms_v1 (0.41.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-cloudresourcemanager_v1 (0.35.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-compute_v1 (0.83.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-core (0.11.3) + addressable (~> 2.5, >= 2.5.1) + googleauth (>= 0.16.2, < 2.a) + httpclient (>= 2.8.1, < 3.a) + mini_mime (~> 1.0) + representable (~> 3.0) + retriable (>= 2.0, < 4.a) + rexml + google-apis-iam_v1 (0.50.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-monitoring_v3 (0.51.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-storage_v1 (0.30.0) + google-apis-core (>= 0.11.0, < 2.a) + googleauth (1.8.1) + faraday (>= 0.17.3, < 3.a) + jwt (>= 1.4, < 3.0) + multi_json (~> 1.11) + os (>= 0.9, < 2.0) + signet (>= 0.16, < 2.a) + gssapi (1.3.1) + ffi (>= 1.0.1) + http-cookie (1.0.8) + domain_name (~> 0.5) + httpclient (2.9.0) + mutex_m + i18n (1.14.7) + concurrent-ruby (~> 1.0) + inifile (3.0.0) + json (2.12.2) + jwt (2.10.2) + base64 + license_finder (7.2.1) + bundler + csv (~> 3.2) + rubyzip (>= 1, < 3) + thor (~> 1.2) + tomlrb (>= 1.3, < 2.1) + with_env (= 1.1.0) + xml-simple (~> 1.1.9) + little-plugger (1.1.4) + logger (1.7.0) + logging (2.4.0) + little-plugger (~> 1.1) + multi_json (~> 1.14) + m (1.6.2) + method_source (>= 0.6.7) + rake (>= 0.9.2.2) + method_source (1.1.0) + mini_mime (1.1.5) + minitest (5.25.5) + mixlib-shellout (3.3.9) + chef-utils + mocha (2.7.1) + ruby2_keywords (>= 0.0.5) + ms_rest (0.7.6) + concurrent-ruby (~> 1.0) + faraday (>= 0.9, < 2.0.0) + timeliness (~> 0.3.10) + ms_rest_azure (0.12.0) + concurrent-ruby (~> 1.0) + faraday (>= 0.9, < 2.0.0) + faraday-cookie_jar (~> 0.0.6) + ms_rest (~> 0.7.6) + multi_json (1.15.0) + multipart-post (2.4.1) + mutex_m (0.3.0) + net-scp (4.1.0) + net-ssh (>= 2.6.5, < 8.0.0) + net-ssh (7.3.0) + nori (2.7.0) + bigdecimal + os (1.1.4) + ostruct (0.1.0) + parallel (1.27.0) + parser (3.3.8.0) + ast (~> 2.4.1) + racc + prism (1.4.0) + pry (0.15.2) + coderay (~> 1.1) + method_source (~> 1.0) + public_suffix (6.0.2) + racc (1.8.1) + rainbow (3.1.1) + rake (13.3.0) + rb-readline (0.5.5) + regexp_parser (2.10.0) + representable (3.2.0) + declarative (< 0.1.0) + trailblazer-option (>= 0.1.1, < 0.2.0) + uber (< 0.2.0) + retriable (3.1.2) + rexml (3.4.1) + rubocop (1.25.1) + parallel (~> 1.10) + parser (>= 3.1.0.0) + rainbow (>= 2.2.2, < 4.0) + regexp_parser (>= 1.8, < 3.0) + rexml + rubocop-ast (>= 1.15.1, < 2.0) + ruby-progressbar (~> 1.7) + unicode-display_width (>= 1.4.0, < 3.0) + rubocop-ast (1.45.1) + parser (>= 3.3.7.2) + prism (~> 1.4) + ruby-progressbar (1.13.0) + ruby2_keywords (0.0.5) + rubyntlm (0.6.5) + base64 + rubyzip (2.4.1) + securerandom (0.4.1) + signet (0.20.0) + addressable (~> 2.8) + faraday (>= 0.17.5, < 3.a) + jwt (>= 1.5, < 3.0) + multi_json (~> 1.10) + simplecov (0.22.0) + docile (~> 1.1) + simplecov-html (~> 0.11) + simplecov_json_formatter (~> 0.1) + simplecov-html (0.13.1) + simplecov_json_formatter (0.1.4) + socksify (1.8.1) + thor (1.3.2) + timeliness (0.3.10) + tomlrb (2.0.3) + trailblazer-option (0.1.2) + train-winrm (0.4.0) + chef-winrm (~> 2.4.4) + chef-winrm-elevated (~> 1.2.5) + chef-winrm-fs (~> 1.4.1) + socksify (~> 1.8) + tzinfo (2.0.6) + concurrent-ruby (~> 1.0) + uber (0.1.0) + unicode-display_width (2.6.0) + with_env (1.1.0) + x25519 (1.0.10) + xml-simple (1.1.9) + rexml + +PLATFORMS + arm64-darwin + ruby + x86_64-darwin + +DEPENDENCIES + bcrypt_pbkdf + byebug + chefstyle (= 2.2.3) + concurrent-ruby (~> 1.0) + ed25519 + license_finder + m + minitest (~> 5.8) + mocha (~> 2.1) + pry (~> 0.10) + rake (~> 13.0) + rb-readline + simplecov (~> 0.21) + simplecov_json_formatter + train! + train-test-fixture! + x25519 + +BUNDLED WITH + 2.6.9