From 836414670b171807b19e45eae8b1cf124bc586a3 Mon Sep 17 00:00:00 2001 From: 6igby <128886054+6igby@users.noreply.github.com> Date: Thu, 21 Aug 2025 14:04:30 +1000 Subject: [PATCH 01/42] Delete .github/workflows directory dev branch --- .github/workflows/api.yml | 152 -------------------------- .github/workflows/backend.yml | 152 -------------------------- .github/workflows/codeql.yml | 96 ---------------- .github/workflows/engine.yml | 170 ----------------------------- .github/workflows/frontend.yml | 152 -------------------------- .github/workflows/super-linter.yml | 28 ----- 6 files changed, 750 deletions(-) delete mode 100644 .github/workflows/api.yml delete mode 100644 .github/workflows/backend.yml delete mode 100644 .github/workflows/codeql.yml delete mode 100644 .github/workflows/engine.yml delete mode 100644 .github/workflows/frontend.yml delete mode 100644 .github/workflows/super-linter.yml diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml deleted file mode 100644 index 17de3cfd..00000000 --- a/.github/workflows/api.yml +++ /dev/null @@ -1,152 +0,0 @@ -name: "API CI/CD" - -on: - push: - pull_request: - branches: ['main'] - schedule: - - cron: '32 23 * * 6' - -jobs: - changes: - name: Allocating Push Filter - runs-on: ubuntu-latest - if: github.event_name == 'push' - # Only run this job for push events - permissions: - # Required if adapting for pull requests later - pull-requests: read - outputs: - api: ${{ steps.filter.outputs.api }} - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - api: - - 'api/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch - - analyze: - name: Security Analysis on (${{ matrix.language }}) - needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.api == 'true' - # Run always for non-push events, or if engine changed on push - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'python', 'javascript-typescript' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - - run-lint: - name: Linting Code - runs-on: ubuntu-latest - needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.api == 'true' - # Run always for non-push events, or if engine changed on push - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "main" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_YAML: false - VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python - VALIDATE_PYTHON_BLACK: false - VALIDATE_PYTHON_FLAKE8: false - -# build-api: -# name: Build API w/ Docker -# runs-on: ubuntu-latest -# needs: [changes, analyze, run-lint] - -# steps: -# - name: Checkout API w/ Docker -# uses: actions/checkout@v3 -# with: -# ref: main -# -# - name: Confirm Branch -# run: git branch -# -# - name: Build API Container -# run: | -# docker build -t autoaudit/api -f api/docker/api.Dockerfile . -# -# - name: Run API Container -# run: | -# docker run --rm autoaudit/api \ No newline at end of file diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml deleted file mode 100644 index 6a794205..00000000 --- a/.github/workflows/backend.yml +++ /dev/null @@ -1,152 +0,0 @@ -name: "Backend CI/CD" - -on: - push: - pull_request: - branches: ['main'] - schedule: - - cron: '32 23 * * 6' - -jobs: - changes: - name: Allocating Push Filter - runs-on: ubuntu-latest - if: github.event_name == 'push' - # Only run this job for push events - permissions: - # Required if adapting for pull requests later - pull-requests: read - outputs: - backend: ${{ steps.filter.outputs.backend }} - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - backend: - - 'backend/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch - - analyze: - name: Security Analysis on (${{ matrix.language }}) - needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' - # Run always for non-push events, or if engine changed on push - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'javascript-typescript' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - - run-lint: - name: Linting Code - runs-on: ubuntu-latest - needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' - # Run always for non-push events, or if engine changed on push - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "main" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_YAML: false - VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python - VALIDATE_PYTHON_BLACK: false - VALIDATE_PYTHON_FLAKE8: false - -# build-backend: -# name: Build Backend w/ Docker -# runs-on: ubuntu-latest -# needs: [changes, analyze, run-lint] - -# steps: -# - name: Checkout Backend w/ Docker -# uses: actions/checkout@v3 -# with: -# ref: main -# -# - name: Confirm Branch -# run: git branch -# -# - name: Build Backend Container -# run: | -# docker build -t autoaudit/backend -f engine/docker/backend.Dockerfile . -# -# - name: Run Backend Container -# run: | -# docker run --rm autoaudit/backend \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 96680644..00000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,96 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# -name: "CodeQL Advanced" - -on: - push: - pull_request: - branches: [ '**' ] - schedule: - - cron: '32 23 * * 6' - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - # Runner size impacts CodeQL analysis time. To learn more, please see: - # - https://gh.io/recommended-hardware-resources-for-running-codeql - # - https://gh.io/supported-runners-and-hardware-resources - # - https://gh.io/using-larger-runners (GitHub.com only) - # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: ['python', 'javascript-typescript'] - - #'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml deleted file mode 100644 index 4d6d4019..00000000 --- a/.github/workflows/engine.yml +++ /dev/null @@ -1,170 +0,0 @@ -name: "Engine CI/CD" - -on: - push: - pull_request: - branches: ['main', 'staging', 'dev'] - schedule: - - cron: '32 23 * * 6' - -jobs: - changes: - name: Allocating Push Filter - runs-on: ubuntu-latest - if: github.event_name == 'push' - # Only run this job for push events - permissions: - # Required if adapting for pull requests later - pull-requests: read - outputs: - engine: ${{ steps.filter.outputs.engine }} - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - engine: - - 'engine/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch - - analyze: - name: Security Analysis on (${{ matrix.language }}) - needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'python' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - - run-lint: - name: Linting Code - runs-on: ubuntu-latest - needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "main" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_YAML: false - VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python - VALIDATE_PYTHON_BLACK: false - VALIDATE_PYTHON_FLAKE8: false - - build-and-deploy: - name: Build and Deploy Engine - runs-on: ubuntu-latest - needs: [changes, analyze, run-lint] - environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} - steps: - - name: Checkout code - uses: actions/checkout@v4 # Upgrade to v4 for latest features - with: - ref: ${{ github.ref }} # Checkout the triggering branch, not always 'main' - - - name: Confirm branch - run: git branch - - - name: Set environment variables - id: set-env - run: | - echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build and tag container - run: | - docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ - --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ - -f engine/docker/engine.Dockerfile . - - - name: Push container to registry - run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - -# - name: Deploy to environment (azure?) - -# run: | - diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml deleted file mode 100644 index 079d173b..00000000 --- a/.github/workflows/frontend.yml +++ /dev/null @@ -1,152 +0,0 @@ -name: "Frontend CI/CD" - -on: - push: - pull_request: - branches: ['main'] - schedule: - - cron: '32 23 * * 6' - -jobs: - changes: - name: Allocating Push Filter - runs-on: ubuntu-latest - if: github.event_name == 'push' - # Only run this job for push events - permissions: - # Required if adapting for pull requests later - pull-requests: read - outputs: - backend: ${{ steps.filter.outputs.backend }} - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - backend: - - 'backend/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch - - analyze: - name: Security Analysis on (${{ matrix.language }}) - needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' - # Run always for non-push events, or if engine changed on push - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'typescript-javascript' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - - run-lint: - name: Linting Code - runs-on: ubuntu-latest - needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' - # Run always for non-push events, or if engine changed on push - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "main" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_YAML: false - VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python - VALIDATE_PYTHON_BLACK: false - VALIDATE_PYTHON_FLAKE8: false - -# build-backend: -# name: Build Backend w/ Docker -# runs-on: ubuntu-latest -# needs: [changes, analyze, run-lint] - -# steps: -# - name: Checkout Backend w/ Docker -# uses: actions/checkout@v3 -# with: -# ref: main -# -# - name: Confirm Branch -# run: git branch -# -# - name: Build Backend Container -# run: | -# docker build -t autoaudit/backend -f engine/docker/backend.Dockerfile . -# -# - name: Run Backend Container -# run: | -# docker run --rm autoaudit/backend \ No newline at end of file diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml deleted file mode 100644 index 1a1e275f..00000000 --- a/.github/workflows/super-linter.yml +++ /dev/null @@ -1,28 +0,0 @@ -# This workflow executes several linters on changed files based on languages used in your code base whenever -# you push a code or open a pull request. -# -# You can adjust the behavior by modifying this file. -# For more information, see: -# https://github.com/github/super-linter -name: Lint Code Base - -on: - push: - pull_request: - branches: [ '**' ] -jobs: - run-lint: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "main" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 34400bdce853ff4037fd3f82b3f8e37cda93746d Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:09:37 +1000 Subject: [PATCH 02/42] testing dev/staging on dev branch #7 --- engine/py_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/py_test.py b/engine/py_test.py index 3bd6db52..aaaaae82 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 1100)) +print(add(5, 11220)) From 6722ba12afc1850b0defc57e318b0e7fa5daae1e Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:12:20 +1000 Subject: [PATCH 03/42] testing dev/staging on dev branch #7 --- engine/py_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/py_test.py b/engine/py_test.py index aaaaae82..201832e0 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 11220)) +print(add(5, 1120)) From 520e10ffc569a60d49e5aa016ea8ec12c5f41c82 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:18:08 +1000 Subject: [PATCH 04/42] testing dev/staging on dev branch #8 --- .github/workflows/engine.yml | 172 ----------------------------------- 1 file changed, 172 deletions(-) delete mode 100644 .github/workflows/engine.yml diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml deleted file mode 100644 index 08e22cdb..00000000 --- a/.github/workflows/engine.yml +++ /dev/null @@ -1,172 +0,0 @@ -name: "Engine CI/CD" - -on: - push: - pull_request: - branches: ['main', 'staging', 'dev'] - schedule: - - cron: '32 23 * * 6' - -jobs: - changes: - name: Allocating Push Filter - runs-on: ubuntu-latest - if: github.event_name == 'push' - # Only run this job for push events - permissions: - # Required if adapting for pull requests later - pull-requests: read - outputs: - engine: ${{ steps.filter.outputs.engine }} - steps: - - uses: actions/checkout@v4 - - uses: dorny/paths-filter@v3 - id: filter - with: - filters: | - engine: - - 'engine/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch - - analyze: - name: Security Analysis on (${{ matrix.language }}) - needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - permissions: - # required for all workflows - security-events: write - - # required to fetch internal or private CodeQL packs - packages: read - - # only required for workflows in private repositories - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - language: [ 'python' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - - run-lint: - name: Linting Code - runs-on: ubuntu-latest - needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - # Full git history is needed to get a proper list of changed files within `super-linter` - fetch-depth: 0 - - - name: Lint Code Base - uses: github/super-linter@v4 - env: - VALIDATE_ALL_CODEBASE: false - DEFAULT_BRANCH: "main" - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VALIDATE_YAML: false - VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python - VALIDATE_PYTHON_BLACK: false - VALIDATE_PYTHON_FLAKE8: false - - build-and-deploy: - # Dynamically select environment by branch - environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} - - runs-on: ubuntu-latest - - steps: - - name: Checkout source code - uses: actions/checkout@v4 - with: - ref: ${{ github.ref }} - - - name: Set environment name - id: set-env - run: | - if [ "${{ github.ref_name }}" == "main" ]; then - echo "ENV_NAME=production" >> $GITHUB_OUTPUT - else - echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build and tag Docker image - run: | - docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ - --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ - -f engine/docker/engine.Dockerfile . - - - name: Push Docker image - run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - -# - name: Deploy to environment (azure?) - -# run: | - From 6be03f405ec306c44760ccc6b086b9f0d33bb4c5 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:20:36 +1000 Subject: [PATCH 05/42] testing dev/staging on dev branch #9 --- engine/py_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/py_test.py b/engine/py_test.py index 201832e0..71ebc090 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 1120)) +print(add(5, 1120000)) From 5436235c2758562a9f8222ac88aa9eab40ec0879 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:24:49 +1000 Subject: [PATCH 06/42] testing dev/staging on dev branch #10 --- engine/py_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/py_test.py b/engine/py_test.py index 71ebc090..e464b861 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 1120000)) +print(add(5, 112)) From 953d0a1d59bef47a39b891b35fc8db567f5cbad9 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:25:13 +1000 Subject: [PATCH 07/42] testing dev/staging on dev branch #11 --- engine/py_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/py_test.py b/engine/py_test.py index e464b861..d31e10f9 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 112)) +print(add(5, 122)) From 5be115587dfe4515109ad3f62f5350440b23ca76 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:31:27 +1000 Subject: [PATCH 08/42] adding workflows into dev branch --- .github/workflows/api.yml | 152 +++++++++++++++++++++++++ .github/workflows/backend.yml | 152 +++++++++++++++++++++++++ .github/workflows/codeql.yml | 96 ++++++++++++++++ .github/workflows/engine.yml | 173 +++++++++++++++++++++++++++++ .github/workflows/frontend.yml | 152 +++++++++++++++++++++++++ .github/workflows/super-linter.yml | 28 +++++ 6 files changed, 753 insertions(+) create mode 100644 .github/workflows/api.yml create mode 100644 .github/workflows/backend.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/engine.yml create mode 100644 .github/workflows/frontend.yml create mode 100644 .github/workflows/super-linter.yml diff --git a/.github/workflows/api.yml b/.github/workflows/api.yml new file mode 100644 index 00000000..17de3cfd --- /dev/null +++ b/.github/workflows/api.yml @@ -0,0 +1,152 @@ +name: "API CI/CD" + +on: + push: + pull_request: + branches: ['main'] + schedule: + - cron: '32 23 * * 6' + +jobs: + changes: + name: Allocating Push Filter + runs-on: ubuntu-latest + if: github.event_name == 'push' + # Only run this job for push events + permissions: + # Required if adapting for pull requests later + pull-requests: read + outputs: + api: ${{ steps.filter.outputs.api }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + api: + - 'api/**' + base: ${{ github.ref }} + # Detect changes against the most recent commit on the same branch + + analyze: + name: Security Analysis on (${{ matrix.language }}) + needs: changes + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.api == 'true' + # Run always for non-push events, or if engine changed on push + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'python', 'javascript-typescript' ] + # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ā„¹ļø Command-line programs to run using the OS shell. + # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + run-lint: + name: Linting Code + runs-on: ubuntu-latest + needs: [changes, analyze] + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.api == 'true' + # Run always for non-push events, or if engine changed on push + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VALIDATE_YAML: false + VALIDATE_GITHUB_ACTIONS: false + # Disable Black linter for Python + VALIDATE_PYTHON_BLACK: false + VALIDATE_PYTHON_FLAKE8: false + +# build-api: +# name: Build API w/ Docker +# runs-on: ubuntu-latest +# needs: [changes, analyze, run-lint] + +# steps: +# - name: Checkout API w/ Docker +# uses: actions/checkout@v3 +# with: +# ref: main +# +# - name: Confirm Branch +# run: git branch +# +# - name: Build API Container +# run: | +# docker build -t autoaudit/api -f api/docker/api.Dockerfile . +# +# - name: Run API Container +# run: | +# docker run --rm autoaudit/api \ No newline at end of file diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml new file mode 100644 index 00000000..6a794205 --- /dev/null +++ b/.github/workflows/backend.yml @@ -0,0 +1,152 @@ +name: "Backend CI/CD" + +on: + push: + pull_request: + branches: ['main'] + schedule: + - cron: '32 23 * * 6' + +jobs: + changes: + name: Allocating Push Filter + runs-on: ubuntu-latest + if: github.event_name == 'push' + # Only run this job for push events + permissions: + # Required if adapting for pull requests later + pull-requests: read + outputs: + backend: ${{ steps.filter.outputs.backend }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + backend: + - 'backend/**' + base: ${{ github.ref }} + # Detect changes against the most recent commit on the same branch + + analyze: + name: Security Analysis on (${{ matrix.language }}) + needs: changes + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' + # Run always for non-push events, or if engine changed on push + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'javascript-typescript' ] + # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ā„¹ļø Command-line programs to run using the OS shell. + # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + run-lint: + name: Linting Code + runs-on: ubuntu-latest + needs: [changes, analyze] + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' + # Run always for non-push events, or if engine changed on push + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VALIDATE_YAML: false + VALIDATE_GITHUB_ACTIONS: false + # Disable Black linter for Python + VALIDATE_PYTHON_BLACK: false + VALIDATE_PYTHON_FLAKE8: false + +# build-backend: +# name: Build Backend w/ Docker +# runs-on: ubuntu-latest +# needs: [changes, analyze, run-lint] + +# steps: +# - name: Checkout Backend w/ Docker +# uses: actions/checkout@v3 +# with: +# ref: main +# +# - name: Confirm Branch +# run: git branch +# +# - name: Build Backend Container +# run: | +# docker build -t autoaudit/backend -f engine/docker/backend.Dockerfile . +# +# - name: Run Backend Container +# run: | +# docker run --rm autoaudit/backend \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..96680644 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,96 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + pull_request: + branches: [ '**' ] + schedule: + - cron: '32 23 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: ['python', 'javascript-typescript'] + + #'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ā„¹ļø Command-line programs to run using the OS shell. + # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml new file mode 100644 index 00000000..cfeb32ef --- /dev/null +++ b/.github/workflows/engine.yml @@ -0,0 +1,173 @@ +name: "Engine CI/CD" + +on: + push: + pull_request: + branches: ['main', 'staging', 'dev'] + schedule: + - cron: '32 23 * * 6' + +jobs: + changes: + name: Allocating Push Filter + runs-on: ubuntu-latest + if: github.event_name == 'push' + # Only run this job for push events + permissions: + # Required if adapting for pull requests later + pull-requests: read + outputs: + engine: ${{ steps.filter.outputs.engine }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + engine: + - 'engine/**' + base: ${{ github.ref }} + # Detect changes against the most recent commit on the same branch + + analyze: + name: Security Analysis on (${{ matrix.language }}) + needs: changes + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' + # Run always for non-push events, or if engine changed on push + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'python' ] + # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ā„¹ļø Command-line programs to run using the OS shell. + # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + run-lint: + name: Linting Code + runs-on: ubuntu-latest + needs: [changes, analyze] + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' + # Run always for non-push events, or if engine changed on push + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VALIDATE_YAML: false + VALIDATE_GITHUB_ACTIONS: false + # Disable Black linter for Python + VALIDATE_PYTHON_BLACK: false + VALIDATE_PYTHON_FLAKE8: false + + build-and-deploy: + name: Build and Deploy Engine + needs: [changes, analyze, run-lint] + environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} + + runs-on: ubuntu-latest + + steps: + - name: Checkout source code + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Set environment name + id: set-env + run: | + if [ "${{ github.ref_name }}" == "main" ]; then + echo "ENV_NAME=production" >> $GITHUB_OUTPUT + else + echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT + fi + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Build and tag Docker image + run: | + docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ + --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ + -f engine/docker/engine.Dockerfile . + + - name: Push Docker image + run: | + docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} + +# - name: Deploy to environment (azure?) + +# run: | + diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml new file mode 100644 index 00000000..079d173b --- /dev/null +++ b/.github/workflows/frontend.yml @@ -0,0 +1,152 @@ +name: "Frontend CI/CD" + +on: + push: + pull_request: + branches: ['main'] + schedule: + - cron: '32 23 * * 6' + +jobs: + changes: + name: Allocating Push Filter + runs-on: ubuntu-latest + if: github.event_name == 'push' + # Only run this job for push events + permissions: + # Required if adapting for pull requests later + pull-requests: read + outputs: + backend: ${{ steps.filter.outputs.backend }} + steps: + - uses: actions/checkout@v4 + - uses: dorny/paths-filter@v3 + id: filter + with: + filters: | + backend: + - 'backend/**' + base: ${{ github.ref }} + # Detect changes against the most recent commit on the same branch + + analyze: + name: Security Analysis on (${{ matrix.language }}) + needs: changes + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' + # Run always for non-push events, or if engine changed on push + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'typescript-javascript' ] + # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ā„¹ļø Command-line programs to run using the OS shell. + # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + run-lint: + name: Linting Code + runs-on: ubuntu-latest + needs: [changes, analyze] + # Depend on changes job + if: github.event_name != 'push' || needs.changes.outputs.backend == 'true' + # Run always for non-push events, or if engine changed on push + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VALIDATE_YAML: false + VALIDATE_GITHUB_ACTIONS: false + # Disable Black linter for Python + VALIDATE_PYTHON_BLACK: false + VALIDATE_PYTHON_FLAKE8: false + +# build-backend: +# name: Build Backend w/ Docker +# runs-on: ubuntu-latest +# needs: [changes, analyze, run-lint] + +# steps: +# - name: Checkout Backend w/ Docker +# uses: actions/checkout@v3 +# with: +# ref: main +# +# - name: Confirm Branch +# run: git branch +# +# - name: Build Backend Container +# run: | +# docker build -t autoaudit/backend -f engine/docker/backend.Dockerfile . +# +# - name: Run Backend Container +# run: | +# docker run --rm autoaudit/backend \ No newline at end of file diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml new file mode 100644 index 00000000..1a1e275f --- /dev/null +++ b/.github/workflows/super-linter.yml @@ -0,0 +1,28 @@ +# This workflow executes several linters on changed files based on languages used in your code base whenever +# you push a code or open a pull request. +# +# You can adjust the behavior by modifying this file. +# For more information, see: +# https://github.com/github/super-linter +name: Lint Code Base + +on: + push: + pull_request: + branches: [ '**' ] +jobs: + run-lint: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + # Full git history is needed to get a proper list of changed files within `super-linter` + fetch-depth: 0 + + - name: Lint Code Base + uses: github/super-linter@v4 + env: + VALIDATE_ALL_CODEBASE: false + DEFAULT_BRANCH: "main" + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 541f818c08181bcdd4b2f8ac507d374ce9573621 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 21 Aug 2025 14:32:51 +1000 Subject: [PATCH 09/42] testing dev/staging on dev branch #12 --- engine/py_test.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/py_test.py b/engine/py_test.py index d31e10f9..fffedcde 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 122)) +print(add(5, 12222)) From a6ceac68a6d4a2f6dc5fe84ce96c769df2296bf7 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 16:57:58 +1000 Subject: [PATCH 10/42] testing gcp integration #2 --- .github/workflows/engine.yml | 43 ++++++++++++++-------- engine/engine/cloudbuild-engine-docker.yml | 31 ++++++++++++++++ 2 files changed, 59 insertions(+), 15 deletions(-) create mode 100644 engine/engine/cloudbuild-engine-docker.yml diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index cfeb32ef..69fe9153 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -136,6 +136,10 @@ jobs: runs-on: ubuntu-latest + permissions: + contents: read # To checkout code + id-token: write # Required for Workload Identity Federation + steps: - name: Checkout source code uses: actions/checkout@v4 @@ -146,28 +150,37 @@ jobs: id: set-env run: | if [ "${{ github.ref_name }}" == "main" ]; then - echo "ENV_NAME=production" >> $GITHUB_OUTPUT + echo "ENV_NAME=prod" >> $GITHUB_OUTPUT else echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT fi - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} +## - name: Login to Docker Hub +## uses: docker/login-action@v3 +## with: +## username: ${{ secrets.DOCKER_USERNAME }} +## password: ${{ secrets.DOCKER_PASSWORD }} + +## - name: Build and tag Docker image +## run: | +## docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ +## --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ +## -f engine/docker/engine.Dockerfile . + +## - name: Push Docker image +## run: | +## docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - - name: Build and tag Docker image - run: | - docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ - --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ - -f engine/docker/engine.Dockerfile . - - name: Push Docker image + # --- Replaced Docker Hub steps with Cloud Build Trigger --- + - name: Trigger Cloud Build for Docker Image run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} + gcloud builds submit . \ + --config=engine/cloudbuild-docker-build.yml \ + --project=YOUR_PROJECT_ID \ + --substitutions=_ENV_NAME=${{ steps.set-env.outputs.ENV_NAME }} \ + --region=australia-southeast2 + # The `.` means submit the entire current directory as the source for Cloud Build. -# - name: Deploy to environment (azure?) -# run: | diff --git a/engine/engine/cloudbuild-engine-docker.yml b/engine/engine/cloudbuild-engine-docker.yml new file mode 100644 index 00000000..57dac9ef --- /dev/null +++ b/engine/engine/cloudbuild-engine-docker.yml @@ -0,0 +1,31 @@ +# engine/cloudbuild-docker-build.yaml +steps: + # Build Docker Image + - name: 'gcr.io/cloud-builders/docker' + args: + - 'build' + - '-t' + - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' + - '--build-arg' + - 'ENV=${_ENV_NAME}' + - '-f' + - 'engine/docker/engine.Dockerfile' + - '.' + # The `dir` specifies the working directory for the build context + # Adjust this if your Dockerfile or source context is not at the root + # or specifically in the 'engine' directory relative to the trigger. + dir: 'engine' # Assuming engine.Dockerfile is in engine/docker/ and context is `engine/` + + # Push Docker Image to Artifact Registry + - name: 'gcr.io/cloud-builders/docker' + args: + - 'push' + - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' + +# Specify the images to be pushed to Artifact Registry +images: + - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' + +# Define custom substitutions to be passed from GitHub Actions +substitutions: + _ENV_NAME: 'default' # A default value for safety From 32990dc5f330be6e571c75274de65585687e4e35 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 17:06:10 +1000 Subject: [PATCH 11/42] testing gcp integration #3 --- engine/{engine => }/cloudbuild-engine-docker.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename engine/{engine => }/cloudbuild-engine-docker.yml (100%) diff --git a/engine/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml similarity index 100% rename from engine/engine/cloudbuild-engine-docker.yml rename to engine/cloudbuild-engine-docker.yml From c6e9942d353fa116f79e3fbda2a8f38b3ff4bb18 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 17:21:04 +1000 Subject: [PATCH 12/42] testing gcp integration #4 --- .github/workflows/engine.yml | 42 ++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 69fe9153..9f0c83bf 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -155,32 +155,32 @@ jobs: echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT fi -## - name: Login to Docker Hub -## uses: docker/login-action@v3 -## with: -## username: ${{ secrets.DOCKER_USERNAME }} -## password: ${{ secrets.DOCKER_PASSWORD }} + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} -## - name: Build and tag Docker image -## run: | -## docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ -## --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ -## -f engine/docker/engine.Dockerfile . + - name: Build and tag Docker image + run: | + docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ + --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ + -f engine/docker/engine.Dockerfile . -## - name: Push Docker image -## run: | -## docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} + - name: Push Docker image + run: | + docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} # --- Replaced Docker Hub steps with Cloud Build Trigger --- - - name: Trigger Cloud Build for Docker Image - run: | - gcloud builds submit . \ - --config=engine/cloudbuild-docker-build.yml \ - --project=YOUR_PROJECT_ID \ - --substitutions=_ENV_NAME=${{ steps.set-env.outputs.ENV_NAME }} \ - --region=australia-southeast2 - # The `.` means submit the entire current directory as the source for Cloud Build. +# - name: Trigger Cloud Build for Docker Image +# run: | +# gcloud builds submit . \ +# --config=engine/cloudbuild-docker-build.yml \ +# --project=YOUR_PROJECT_ID \ +# --substitutions=_ENV_NAME=${{ steps.set-env.outputs.ENV_NAME }} \ +# --region=australia-southeast2 +# # The `.` means submit the entire current directory as the source for Cloud Build. From 17c93019b5e5e972cd9e8eca844a6816a431516c Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 17:29:30 +1000 Subject: [PATCH 13/42] testing gcp integration #5 --- engine/cloudbuild-engine-docker.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml index 57dac9ef..30d414f3 100644 --- a/engine/cloudbuild-engine-docker.yml +++ b/engine/cloudbuild-engine-docker.yml @@ -1,11 +1,9 @@ -# engine/cloudbuild-docker-build.yaml steps: - # Build Docker Image - name: 'gcr.io/cloud-builders/docker' args: - 'build' - '-t' - - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' + - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' - '--build-arg' - 'ENV=${_ENV_NAME}' - '-f' @@ -20,12 +18,12 @@ steps: - name: 'gcr.io/cloud-builders/docker' args: - 'push' - - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' + - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' # Specify the images to be pushed to Artifact Registry images: - - 'australia-southeast2-docker.pkg.dev/$PROJECT_ID/engine/engine:${_ENV_NAME}' + - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' # Define custom substitutions to be passed from GitHub Actions -substitutions: - _ENV_NAME: 'default' # A default value for safety +# substitutions: +# _ENV_NAME: 'default' # A default value for safety From c5d289ca6c03252f7ed60ae5a64c164fb5bb0cc5 Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 17:52:38 +1000 Subject: [PATCH 14/42] testing gcp integration #6 --- engine/cloudbuild-engine-docker.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml index 30d414f3..f8c8d1d3 100644 --- a/engine/cloudbuild-engine-docker.yml +++ b/engine/cloudbuild-engine-docker.yml @@ -5,7 +5,6 @@ steps: - '-t' - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' - '--build-arg' - - 'ENV=${_ENV_NAME}' - '-f' - 'engine/docker/engine.Dockerfile' - '.' @@ -13,7 +12,7 @@ steps: # Adjust this if your Dockerfile or source context is not at the root # or specifically in the 'engine' directory relative to the trigger. dir: 'engine' # Assuming engine.Dockerfile is in engine/docker/ and context is `engine/` - + # Push Docker Image to Artifact Registry - name: 'gcr.io/cloud-builders/docker' args: @@ -27,3 +26,6 @@ images: # Define custom substitutions to be passed from GitHub Actions # substitutions: # _ENV_NAME: 'default' # A default value for safety + +options: + logging: CLOUD_LOGGING_ONLY \ No newline at end of file From 05ab08c23a7575229622180a212b34a75510e33e Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 17:57:06 +1000 Subject: [PATCH 15/42] testing gcp integration #7 --- engine/cloudbuild-engine-docker.yml | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) diff --git a/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml index f8c8d1d3..d25810ee 100644 --- a/engine/cloudbuild-engine-docker.yml +++ b/engine/cloudbuild-engine-docker.yml @@ -1,31 +1,6 @@ steps: - name: 'gcr.io/cloud-builders/docker' - args: - - 'build' - - '-t' - - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' - - '--build-arg' - - '-f' - - 'engine/docker/engine.Dockerfile' - - '.' - # The `dir` specifies the working directory for the build context - # Adjust this if your Dockerfile or source context is not at the root - # or specifically in the 'engine' directory relative to the trigger. - dir: 'engine' # Assuming engine.Dockerfile is in engine/docker/ and context is `engine/` - - # Push Docker Image to Artifact Registry - - name: 'gcr.io/cloud-builders/docker' - args: - - 'push' - - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' - -# Specify the images to be pushed to Artifact Registry -images: - - 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine' - -# Define custom substitutions to be passed from GitHub Actions -# substitutions: -# _ENV_NAME: 'default' # A default value for safety + args: [ 'build', '-t', 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine', '.' ] options: logging: CLOUD_LOGGING_ONLY \ No newline at end of file From bb58a5a6d30c519bac2a7b28ab9507266428a29a Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 19:36:22 +1000 Subject: [PATCH 16/42] testing gcp integration #8 --- engine/cloudbuild-engine-docker.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml index d25810ee..c6c29df4 100644 --- a/engine/cloudbuild-engine-docker.yml +++ b/engine/cloudbuild-engine-docker.yml @@ -1,6 +1,22 @@ +#GCP Engine Docker Build +#References sourced: +# https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs?hl=pt-br#yaml_1 +# https://discuss.google.dev/t/cloudbuild-error-failed-to-trigger-build/106701 + +#Build engine/docker/engine.Dockerfile steps: - - name: 'gcr.io/cloud-builders/docker' - args: [ 'build', '-t', 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine', '.' ] + - name: 'gcr.io/cloud-builders/docker' #gcp docker step + args: [ + 'build', + '--file', 'engine/docker/engine.Dockerfile', #specified file location in github struct + '-t', 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine/my-engine-image:dev', #build engine dev container using GCP container registry, added image name as 'my-engine-image' with ':dev' tag + '.' #build all directroy components in engine + ] + + - name: 'gcr.io/cloud-builders/docker' #repeat for push + args: ['push', 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine/my-engine-image:dev'] +images: +- 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine/my-engine-image:dev' options: - logging: CLOUD_LOGGING_ONLY \ No newline at end of file + logging: CLOUD_LOGGING_ONLY #syntax to bypass 'build.service_account' From 997f7c1ad73b3bdcb9e39108a115c3848a4933ca Mon Sep 17 00:00:00 2001 From: dig Date: Thu, 28 Aug 2025 20:07:57 +1000 Subject: [PATCH 17/42] testing gcp integration #9 --- engine/engine/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/engine/main.py b/engine/engine/main.py index 7faee936..15c3201b 100644 --- a/engine/engine/main.py +++ b/engine/engine/main.py @@ -88,7 +88,7 @@ def main(): # Summary output print("\nšŸ“Š Summary:") print(f" Total Rules: {len(rules)}") - print(f" āœ… Passeds: {passed}") + print(f" āœ… PassedzZzZz: {passed}") print(f" āŒ Failed: {failed}") if __name__ == "__main__": From 7b0deacc1c5ec68f5befcca83d8540f7ac81e0ac Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 13:09:59 +1000 Subject: [PATCH 18/42] Added Grype security scanning to build-and-deploy step --- .github/workflows/engine.yml | 116 +++++++++-------------------------- 1 file changed, 29 insertions(+), 87 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 9f0c83bf..417f7554 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -12,9 +12,7 @@ jobs: name: Allocating Push Filter runs-on: ubuntu-latest if: github.event_name == 'push' - # Only run this job for push events permissions: - # Required if adapting for pull requests later pull-requests: read outputs: engine: ${{ steps.filter.outputs.engine }} @@ -26,95 +24,54 @@ jobs: filters: | engine: - 'engine/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch + base: ${{ github.ref }} analyze: name: Security Analysis on (${{ matrix.language }}) needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push + if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read - strategy: fail-fast: false matrix: - language: [ 'python' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + language: ['python'] steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 + - name: Checkout repository + uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the languages you are analyzing, replace this with the commands to build your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - run-lint: name: Linting Code runs-on: ubuntu-latest needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push + if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' steps: - name: Checkout code uses: actions/checkout@v4 with: - # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Lint Code Base @@ -125,7 +82,6 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_YAML: false VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false @@ -133,13 +89,10 @@ jobs: name: Build and Deploy Engine needs: [changes, analyze, run-lint] environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} - runs-on: ubuntu-latest - permissions: - contents: read # To checkout code - id-token: write # Required for Workload Identity Federation - + contents: read + id-token: write steps: - name: Checkout source code uses: actions/checkout@v4 @@ -153,7 +106,6 @@ jobs: echo "ENV_NAME=prod" >> $GITHUB_OUTPUT else echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi - name: Login to Docker Hub uses: docker/login-action@v3 @@ -167,20 +119,10 @@ jobs: --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ -f engine/docker/engine.Dockerfile . - - name: Push Docker image + # --- GRYPE SECURITY SCAN SECTION --- + - name: Install Grype run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - - - # --- Replaced Docker Hub steps with Cloud Build Trigger --- -# - name: Trigger Cloud Build for Docker Image -# run: | -# gcloud builds submit . \ -# --config=engine/cloudbuild-docker-build.yml \ -# --project=YOUR_PROJECT_ID \ -# --substitutions=_ENV_NAME=${{ steps.set-env.outputs.ENV_NAME }} \ -# --region=australia-southeast2 -# # The `.` means submit the entire current directory as the source for Cloud Build. - - + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh + sudo mv ./grype /usr/local/bin/ + - name: Scan Docker image with Grype From d8f66e5323b459e3e2d22b773580b61c09c140cb Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 13:40:23 +1000 Subject: [PATCH 19/42] solving error --- .github/workflows/engine.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 417f7554..9121ec9f 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -126,3 +126,18 @@ jobs: sudo mv ./grype /usr/local/bin/ - name: Scan Docker image with Grype + run: | + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} + + - name: Push Docker image + run: | + docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} + + # --- Optional: Cloud Build Trigger (commented out) --- +# - name: Trigger Cloud Build for Docker Image +# run: | +# gcloud builds submit . \ +# --config=engine/cloudbuild-docker-build.yml \ +# --project=YOUR_PROJECT_ID \ +# --substitutions=_ENV_NAME=${{ steps.set-env.outputs.ENV_NAME }} \ +# --region=australia-southeast2 From 9f1de86bbcf10e8a0a325e1e51578335fdcf039b Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 14:32:10 +1000 Subject: [PATCH 20/42] solving skipped job error --- .github/workflows/engine.yml | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 9121ec9f..ca92a9e0 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -2,6 +2,7 @@ name: "Engine CI/CD" on: push: + branches: ['main', 'staging', 'dev'] pull_request: branches: ['main', 'staging', 'dev'] schedule: @@ -53,9 +54,7 @@ jobs: - if: matrix.build-mode == 'manual' shell: bash run: | - echo 'If you are using a "manual" build mode for one or more of the languages you are analyzing, replace this with the commands to build your code, for example:' - echo ' make bootstrap' - echo ' make release' + echo 'Manual build mode not configured' exit 1 - name: Perform CodeQL Analysis @@ -87,9 +86,9 @@ jobs: build-and-deploy: name: Build and Deploy Engine - needs: [changes, analyze, run-lint] - environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} runs-on: ubuntu-latest + needs: [changes] # only depends on file changes filter + environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} permissions: contents: read id-token: write @@ -106,6 +105,7 @@ jobs: echo "ENV_NAME=prod" >> $GITHUB_OUTPUT else echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT + fi - name: Login to Docker Hub uses: docker/login-action@v3 @@ -119,7 +119,15 @@ jobs: --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ -f engine/docker/engine.Dockerfile . - # --- GRYPE SECURITY SCAN SECTION --- + - name: Push Docker image + run: | + docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} + + grype-scan: + name: Grype Security Scan + runs-on: ubuntu-latest + needs: build-and-deploy + steps: - name: Install Grype run: | curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh @@ -127,17 +135,4 @@ jobs: - name: Scan Docker image with Grype run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - - - name: Push Docker image - run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - - # --- Optional: Cloud Build Trigger (commented out) --- -# - name: Trigger Cloud Build for Docker Image -# run: | -# gcloud builds submit . \ -# --config=engine/cloudbuild-docker-build.yml \ -# --project=YOUR_PROJECT_ID \ -# --substitutions=_ENV_NAME=${{ steps.set-env.outputs.ENV_NAME }} \ -# --region=australia-southeast2 + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ github.ref_name }} From 5a218d69d3591ec50dbe0e1194ff4acb9d97a095 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 14:38:53 +1000 Subject: [PATCH 21/42] solving installation error --- .github/workflows/engine.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index ca92a9e0..48a439f5 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -130,8 +130,7 @@ jobs: steps: - name: Install Grype run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh - sudo mv ./grype /usr/local/bin/ + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - name: Scan Docker image with Grype run: | From 1032786290c0be969f3fafcf660350c57fbfe973 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 14:47:35 +1000 Subject: [PATCH 22/42] solving image creation error --- .github/workflows/engine.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 48a439f5..6aba3458 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -87,11 +87,13 @@ jobs: build-and-deploy: name: Build and Deploy Engine runs-on: ubuntu-latest - needs: [changes] # only depends on file changes filter + needs: [changes] environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} permissions: contents: read id-token: write + outputs: + image_tag: ${{ steps.set-env.outputs.ENV_NAME }} steps: - name: Checkout source code uses: actions/checkout@v4 @@ -119,10 +121,6 @@ jobs: --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ -f engine/docker/engine.Dockerfile . - - name: Push Docker image - run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - grype-scan: name: Grype Security Scan runs-on: ubuntu-latest @@ -134,4 +132,8 @@ jobs: - name: Scan Docker image with Grype run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ github.ref_name }} + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + + - name: Push Docker image + run: | + docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} From 1ffd3c8eb040553f6a53e95cc519b85294fec741 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 15:10:10 +1000 Subject: [PATCH 23/42] solving image error-2 --- .github/workflows/engine.yml | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 6aba3458..fd830c7a 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -109,31 +109,29 @@ jobs: echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT fi + + grype-scan: + name: Grype Security Scan + runs-on: ubuntu-latest + needs: build-and-deploy + steps: + - name: Checkout repository + uses: actions/checkout@v4 + - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Build and tag Docker image - run: | - docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ - --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ - -f engine/docker/engine.Dockerfile . - - grype-scan: - name: Grype Security Scan - runs-on: ubuntu-latest - needs: build-and-deploy - steps: - name: Install Grype run: | curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - name: Scan Docker image with Grype - run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} - - name: Push Docker image run: | docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + + - name: Scan Docker image with Grype + run: | + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} From e9ff91859a76bfc08468f3285766a94a789b82f0 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 15:14:46 +1000 Subject: [PATCH 24/42] solving image error-3 --- .github/workflows/engine.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index fd830c7a..59d68463 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -109,7 +109,13 @@ jobs: echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT fi - + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + grype-scan: name: Grype Security Scan runs-on: ubuntu-latest @@ -118,12 +124,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - name: Install Grype run: | curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin From 5d674dccaa491a1508a26255ea53c12ef93d8140 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 15:24:36 +1000 Subject: [PATCH 25/42] solving image error-4 --- .github/workflows/engine.yml | 48 ++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 59d68463..b3047673 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -109,29 +109,29 @@ jobs: echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT fi - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - grype-scan: - name: Grype Security Scan - runs-on: ubuntu-latest - needs: build-and-deploy - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Install Grype - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + name: Grype Security Scan + runs-on: ubuntu-latest + needs: build-and-deploy + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Install Grype + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + + - name: Pull Docker image + run: | + docker pull ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + + - name: Scan Docker image with Grype + run: | + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} - - name: Push Docker image - run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} - - - name: Scan Docker image with Grype - run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} From 82e1a204bac5657b4896f5fe2c38a5f7f1aa5a4a Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 15:27:07 +1000 Subject: [PATCH 26/42] solving image error-4 --- .github/workflows/engine.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index b3047673..0b6fcc2a 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -109,6 +109,7 @@ jobs: echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT fi + grype-scan: name: Grype Security Scan runs-on: ubuntu-latest From 5241482224746dc002415e11ef5226246f23a3b4 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 15:29:15 +1000 Subject: [PATCH 27/42] solving image error-4 --- .github/workflows/engine.yml | 43 +++++++++++++++++------------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 0b6fcc2a..993a8280 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -107,32 +107,29 @@ jobs: echo "ENV_NAME=prod" >> $GITHUB_OUTPUT else echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi - grype-scan: - name: Grype Security Scan - runs-on: ubuntu-latest - needs: build-and-deploy - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + name: Grype Security Scan + runs-on: ubuntu-latest + needs: build-and-deploy + steps: + - name: Checkout repository + uses: actions/checkout@v4 - - name: Install Grype - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} - - name: Pull Docker image - run: | - docker pull ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + - name: Install Grype + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - name: Scan Docker image with Grype - run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + - name: Pull Docker image + run: | + docker pull ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + - name: Scan Docker image with Grype + run: | + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} From ed9800990b423ea15411fef92f621776163358d1 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Fri, 29 Aug 2025 15:31:18 +1000 Subject: [PATCH 28/42] solving image error-4 --- .github/workflows/engine.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 993a8280..b1c5c4c1 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -107,6 +107,7 @@ jobs: echo "ENV_NAME=prod" >> $GITHUB_OUTPUT else echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT + fi grype-scan: name: Grype Security Scan From f6eb5b2b69330bd06cb755054b3d391678e50598 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Wed, 3 Sep 2025 21:56:03 +1000 Subject: [PATCH 29/42] fix: docker login with grype --- .github/workflows/engine.yml | 56 +++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 27 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index b1c5c4c1..76767cd7 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -83,6 +83,34 @@ jobs: VALIDATE_GITHUB_ACTIONS: false VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false +grype-scan: + name: Grype Security Scan + runs-on: ubuntu-latest + needs: build-and-deploy + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Debug environment + run: | + echo "Image tag: ${{ needs.build-and-deploy.outputs.image_tag }}" + echo "Docker username: ${{ secrets.DOCKER_USERNAME }}" + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + + - name: Install Grype + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + + - name: Build and Scan Local Image + run: | + # Build image locally instead of pulling + docker build -t local-engine-scan ./engine -f ./engine/docker/engine.Dockerfile + grype local-engine-scan --fail-on high --output table build-and-deploy: name: Build and Deploy Engine @@ -107,30 +135,4 @@ jobs: echo "ENV_NAME=prod" >> $GITHUB_OUTPUT else echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi - - grype-scan: - name: Grype Security Scan - runs-on: ubuntu-latest - needs: build-and-deploy - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Install Grype - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - - name: Pull Docker image - run: | - docker pull ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} - - - name: Scan Docker image with Grype - run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + fi \ No newline at end of file From 68bb975ccf2b5fb6806f1070d3f87ff396b8c038 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Wed, 3 Sep 2025 22:05:37 +1000 Subject: [PATCH 30/42] fixing error-1 --- .github/workflows/engine.yml | 59 +++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 28 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 76767cd7..4e0e21e2 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -83,7 +83,33 @@ jobs: VALIDATE_GITHUB_ACTIONS: false VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false -grype-scan: + + build-and-deploy: + name: Build and Deploy Engine + runs-on: ubuntu-latest + needs: [changes] + environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} + permissions: + contents: read + id-token: write + outputs: + image_tag: ${{ steps.set-env.outputs.ENV_NAME }} + steps: + - name: Checkout source code + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Set environment name + id: set-env + run: | + if [ "${{ github.ref_name }}" == "main" ]; then + echo "ENV_NAME=prod" >> $GITHUB_OUTPUT + else + echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT + fi + + grype-scan: name: Grype Security Scan runs-on: ubuntu-latest needs: build-and-deploy @@ -106,33 +132,10 @@ grype-scan: run: | curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - name: Build and Scan Local Image + - name: Pull Docker image run: | - # Build image locally instead of pulling - docker build -t local-engine-scan ./engine -f ./engine/docker/engine.Dockerfile - grype local-engine-scan --fail-on high --output table + docker pull ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} - build-and-deploy: - name: Build and Deploy Engine - runs-on: ubuntu-latest - needs: [changes] - environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} - permissions: - contents: read - id-token: write - outputs: - image_tag: ${{ steps.set-env.outputs.ENV_NAME }} - steps: - - name: Checkout source code - uses: actions/checkout@v4 - with: - ref: ${{ github.ref }} - - - name: Set environment name - id: set-env + - name: Scan Docker image with Grype run: | - if [ "${{ github.ref_name }}" == "main" ]; then - echo "ENV_NAME=prod" >> $GITHUB_OUTPUT - else - echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi \ No newline at end of file + grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} From 1095cbbe2313a593bf43c2c818a1c24e297e17c5 Mon Sep 17 00:00:00 2001 From: 223159756 <139199818+223159756@users.noreply.github.com> Date: Thu, 4 Sep 2025 15:27:04 +1000 Subject: [PATCH 31/42] testing post-merge function --- engine/engine/.trigger | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/engine/engine/.trigger b/engine/engine/.trigger index 6183eec9..a52674c4 100644 --- a/engine/engine/.trigger +++ b/engine/engine/.trigger @@ -1 +1 @@ -abcdaas +abcdaass From 01a72e9650f3bcf89e56df544f0f736f01c3c5e1 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 12:39:08 +1000 Subject: [PATCH 32/42] fixing docker error --- .github/workflows/engine.yml | 51 +++++++++--------------------------- 1 file changed, 12 insertions(+), 39 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 4e0e21e2..8632694d 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -84,58 +84,31 @@ jobs: VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false - build-and-deploy: - name: Build and Deploy Engine + build-and-scan: + name: Build and Scan Engine runs-on: ubuntu-latest needs: [changes] - environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} - permissions: - contents: read - id-token: write - outputs: - image_tag: ${{ steps.set-env.outputs.ENV_NAME }} steps: - name: Checkout source code uses: actions/checkout@v4 with: ref: ${{ github.ref }} - - name: Set environment name - id: set-env - run: | - if [ "${{ github.ref_name }}" == "main" ]; then - echo "ENV_NAME=prod" >> $GITHUB_OUTPUT - else - echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - grype-scan: - name: Grype Security Scan - runs-on: ubuntu-latest - needs: build-and-deploy - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Debug environment - run: | - echo "Image tag: ${{ needs.build-and-deploy.outputs.image_tag }}" - echo "Docker username: ${{ secrets.DOCKER_USERNAME }}" - - - name: Login to Docker Hub - uses: docker/login-action@v3 + - name: Build Docker image (local only) + uses: docker/build-push-action@v4 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} + context: ./engine + tags: localbuild/engine:${{ github.ref_name }} + push: false + load: true - name: Install Grype run: | curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin - - name: Pull Docker image - run: | - docker pull ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} - - - name: Scan Docker image with Grype + - name: Scan image with Grype run: | - grype ${{ secrets.DOCKER_USERNAME }}/engine:${{ needs.build-and-deploy.outputs.image_tag }} + grype localbuild/engine:${{ github.ref_name }} From 0662d02923029461629c46e840ec504ee22cec11 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:02:27 +1000 Subject: [PATCH 33/42] fixing grype error --- .github/workflows/engine.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 8632694d..d0c66a55 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -101,6 +101,7 @@ jobs: uses: docker/build-push-action@v4 with: context: ./engine + file: ./engine/docker/engine.Dockerfile tags: localbuild/engine:${{ github.ref_name }} push: false load: true From 081bb32f502fc014e6189fb0267b92c16d4a40a1 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:05:03 +1000 Subject: [PATCH 34/42] fixing grype error-2 --- .github/workflows/engine.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index d0c66a55..15ccf4af 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -84,7 +84,7 @@ jobs: VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false - build-and-scan: + build-and-scan: name: Build and Scan Engine runs-on: ubuntu-latest needs: [changes] @@ -101,15 +101,13 @@ jobs: uses: docker/build-push-action@v4 with: context: ./engine - file: ./engine/docker/engine.Dockerfile + file: ./engine/docker/engine.Dockerfile tags: localbuild/engine:${{ github.ref_name }} push: false load: true - - name: Install Grype - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin + - name: Scan image with Anchore/Grype + uses: anchore/scan-action@v6 + with: + image: localbuild/engine:${{ github.ref_name }} - - name: Scan image with Grype - run: | - grype localbuild/engine:${{ github.ref_name }} From a3baf5cc8b295c8fc611c8655814826f4e07d064 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:06:49 +1000 Subject: [PATCH 35/42] fixing grype error-3 --- .github/workflows/engine.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 15ccf4af..82bc4905 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -84,7 +84,7 @@ jobs: VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false - build-and-scan: + build-and-scan: # šŸ‘ˆ this must be indented under "jobs" name: Build and Scan Engine runs-on: ubuntu-latest needs: [changes] @@ -110,4 +110,3 @@ jobs: uses: anchore/scan-action@v6 with: image: localbuild/engine:${{ github.ref_name }} - From 73f45453854f9d87690c248d10a2802fc8161c22 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:12:20 +1000 Subject: [PATCH 36/42] fixing grype path --- engine/docker/engine.Dockerfile | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/engine/docker/engine.Dockerfile b/engine/docker/engine.Dockerfile index bd312b23..730189ae 100644 --- a/engine/docker/engine.Dockerfile +++ b/engine/docker/engine.Dockerfile @@ -1,9 +1,7 @@ -FROM python:3.11-slim - WORKDIR /app -COPY engine/engine/ ./engine/ -COPY engine/rules/ ./rules/ -COPY engine/test-configs/ ./test-configs/ +COPY engine/ ./engine/ +COPY rules/ ./rules/ +COPY test-configs/ ./test-configs/ CMD ["python", "engine/main.py"] From 8ac94774841f550a3d66f5e5872dbf9c0b0a29e9 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:14:34 +1000 Subject: [PATCH 37/42] fixing grype path-1 --- engine/docker/engine.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/engine/docker/engine.Dockerfile b/engine/docker/engine.Dockerfile index 730189ae..0e1d55ac 100644 --- a/engine/docker/engine.Dockerfile +++ b/engine/docker/engine.Dockerfile @@ -1,3 +1,4 @@ +FROM python:3.11-slim WORKDIR /app COPY engine/ ./engine/ From 95507ca647fa18dd4a8c9336522f443c6620d3fc Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:32:41 +1000 Subject: [PATCH 38/42] fixing build fail error --- .github/workflows/engine.yml | 48 +++++++++++++++++++----------------- 1 file changed, 25 insertions(+), 23 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 82bc4905..b5f9e25f 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -84,29 +84,31 @@ jobs: VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false - build-and-scan: # šŸ‘ˆ this must be indented under "jobs" - name: Build and Scan Engine - runs-on: ubuntu-latest - needs: [changes] - steps: - - name: Checkout source code - uses: actions/checkout@v4 - with: - ref: ${{ github.ref }} + build-and-scan: + name: Build and Scan Engine + runs-on: ubuntu-latest + needs: [changes] + steps: + - name: Checkout source code + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - - name: Build Docker image (local only) - uses: docker/build-push-action@v4 - with: - context: ./engine - file: ./engine/docker/engine.Dockerfile - tags: localbuild/engine:${{ github.ref_name }} - push: false - load: true + - name: Build Docker image (local only) + uses: docker/build-push-action@v4 + with: + context: ./engine + file: ./engine/docker/engine.Dockerfile + tags: localbuild/engine:${{ github.ref_name }} + push: false + load: true + + - name: Scan image with Anchore/Grype + uses: anchore/scan-action@v6 + with: + image: localbuild/engine:${{ github.ref_name }} + fail-build: false - - name: Scan image with Anchore/Grype - uses: anchore/scan-action@v6 - with: - image: localbuild/engine:${{ github.ref_name }} From 763b135dbca84dc066f06c598e3e97739f280dbd Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Mon, 8 Sep 2025 13:34:09 +1000 Subject: [PATCH 39/42] fixing build fail error-1 --- .github/workflows/engine.yml | 58 ++++++++++++++++-------------------- 1 file changed, 25 insertions(+), 33 deletions(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index b5f9e25f..8f3a3a13 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -31,7 +31,7 @@ jobs: name: Security Analysis on (${{ matrix.language }}) needs: changes if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + runs-on: ubuntu-latest permissions: security-events: write packages: read @@ -49,13 +49,6 @@ jobs: uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'Manual build mode not configured' - exit 1 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 @@ -84,31 +77,30 @@ jobs: VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false - build-and-scan: - name: Build and Scan Engine - runs-on: ubuntu-latest - needs: [changes] - steps: - - name: Checkout source code - uses: actions/checkout@v4 - with: - ref: ${{ github.ref }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + build-and-scan: + name: Build and Scan Engine + runs-on: ubuntu-latest + needs: [changes] + steps: + - name: Checkout source code + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} - - name: Build Docker image (local only) - uses: docker/build-push-action@v4 - with: - context: ./engine - file: ./engine/docker/engine.Dockerfile - tags: localbuild/engine:${{ github.ref_name }} - push: false - load: true + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - - name: Scan image with Anchore/Grype - uses: anchore/scan-action@v6 - with: - image: localbuild/engine:${{ github.ref_name }} - fail-build: false + - name: Build Docker image (local only) + uses: docker/build-push-action@v4 + with: + context: ./engine + file: ./engine/docker/engine.Dockerfile + tags: localbuild/engine:${{ github.ref_name }} + push: false + load: true + - name: Scan image with Anchore/Grype + uses: anchore/scan-action@v6 + with: + image: localbuild/engine:${{ github.ref_name }} + fail-build: false From dc8cc120338d54f359a16f1bd692bebcdacaa90c Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Wed, 10 Sep 2025 17:31:54 +1000 Subject: [PATCH 40/42] tetsing-1 --- engine/docker/engine.Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/engine/docker/engine.Dockerfile b/engine/docker/engine.Dockerfile index 0e1d55ac..56e08bda 100644 --- a/engine/docker/engine.Dockerfile +++ b/engine/docker/engine.Dockerfile @@ -1,4 +1,5 @@ FROM python:3.11-slim + WORKDIR /app COPY engine/ ./engine/ From 1efcf451448a2923bb987d0e260bcedce43faee8 Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Wed, 10 Sep 2025 17:51:11 +1000 Subject: [PATCH 41/42] saving grype report --- .github/workflows/engine.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 8f3a3a13..c440b695 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -104,3 +104,12 @@ jobs: with: image: localbuild/engine:${{ github.ref_name }} fail-build: false + output-format: json + output-file: grype-report.json + + - name: Upload vulnerability report + uses: actions/upload-artifact@v3 + with: + name: grype-report + path: grype-report.json + From adfa26c7bcb816b37696762e482346b0bc51a9db Mon Sep 17 00:00:00 2001 From: Purvasha Padhy Date: Wed, 10 Sep 2025 17:53:51 +1000 Subject: [PATCH 42/42] saving grype report --- .github/workflows/engine.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index c440b695..9a8a9326 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -108,7 +108,7 @@ jobs: output-file: grype-report.json - name: Upload vulnerability report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: grype-report path: grype-report.json