From f4e281c56486eed35fdfa2d61e20ba935a0c5f8d Mon Sep 17 00:00:00 2001 From: Frederic Mercier Date: Thu, 27 Jun 2024 09:51:29 +0200 Subject: [PATCH 1/5] DBACLD-139987 - put in place markdown link check --- .github/workflows/check-links.yml | 25 +++++++++++++++++++++++++ .md_check_config.json | 14 ++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 .github/workflows/check-links.yml create mode 100644 .md_check_config.json diff --git a/.github/workflows/check-links.yml b/.github/workflows/check-links.yml new file mode 100644 index 0000000..2ea6949 --- /dev/null +++ b/.github/workflows/check-links.yml @@ -0,0 +1,25 @@ +name: Check Markdown links + +#on: +# push: +# branches: +# - master +# pull_request: +# branches: [master] +on: push +jobs: + markdown-link-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: technote-space/get-diff-action@v6 + with: + PATTERNS: | + **/**.md + + - uses: gaurav-nelson/github-action-markdown-link-check@v1 + with: + use-quiet-mode: 'yes' + use-verbose-mode: 'yes' + config-file: '.md_check_config.json' + diff --git a/.md_check_config.json b/.md_check_config.json new file mode 100644 index 0000000..9d513d9 --- /dev/null +++ b/.md_check_config.json @@ -0,0 +1,14 @@ +{ + "ignorePatterns": [ + { + "pattern": "^http://localhost" + } + ], + "replacementPatterns": [ + { + "pattern": "^/LICENSE", + "replacement": "{{BASEURL}}/LICENSE" + } + ], + "timeout": "20s" + } \ No newline at end of file From c26e695c6e3c9af93d3182ac698dfea42b41a2fa Mon Sep 17 00:00:00 2001 From: Frederic Mercier Date: Thu, 18 Jul 2024 09:13:11 +0200 Subject: [PATCH 2/5] DBACLD-142228: detect-secrets --- .pre-commit-config.yaml | 16 ++++++++ .secrets.baseline | 85 +++++++++++++++++++++++++++++++++++++++++ 2 files changed, 101 insertions(+) create mode 100644 .pre-commit-config.yaml create mode 100644 .secrets.baseline diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..8785b0e --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,16 @@ +repos: + - repo: https://github.com/ibm/detect-secrets + # If you desire to use a specific version of detect-secrets, you can replace with other git revisions such as branch, tag or commit sha. + # You are encouraged to use static refs such as tags, instead of branch name + # + # Running "pre-commit autoupdate" automatically updates rev to latest tag + rev: master + hooks: + - id: detect-secrets # pragma: whitelist secret + # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options. + # You may also run `pre-commit run detect-secrets` to preview the scan result. + # when "--baseline" without "--use-all-plugins", pre-commit scan with just plugins in baseline file + # when "--baseline" with "--use-all-plugins", pre-commit scan with all available plugins + # add "--fail-on-unaudited" to fail pre-commit for unaudited potential secrets + args: [--baseline, .secrets.baseline] + diff --git a/.secrets.baseline b/.secrets.baseline new file mode 100644 index 0000000..f1efd5b --- /dev/null +++ b/.secrets.baseline @@ -0,0 +1,85 @@ +{ + "exclude": { + "files": "^.secrets.baseline$", + "lines": null + }, + "generated_at": "2024-07-18T07:10:46Z", + "plugins_used": [ + { + "name": "AWSKeyDetector" + }, + { + "name": "ArtifactoryDetector" + }, + { + "name": "AzureStorageKeyDetector" + }, + { + "base64_limit": 4.5, + "name": "Base64HighEntropyString" + }, + { + "name": "BasicAuthDetector" + }, + { + "name": "BoxDetector" + }, + { + "name": "CloudantDetector" + }, + { + "ghe_instance": "github.ibm.com", + "name": "GheDetector" + }, + { + "name": "GitHubTokenDetector" + }, + { + "hex_limit": 3, + "name": "HexHighEntropyString" + }, + { + "name": "IbmCloudIamDetector" + }, + { + "name": "IbmCosHmacDetector" + }, + { + "name": "JwtTokenDetector" + }, + { + "keyword_exclude": null, + "name": "KeywordDetector" + }, + { + "name": "MailchimpDetector" + }, + { + "name": "NpmDetector" + }, + { + "name": "PrivateKeyDetector" + }, + { + "name": "SlackDetector" + }, + { + "name": "SoftlayerDetector" + }, + { + "name": "SquareOAuthDetector" + }, + { + "name": "StripeDetector" + }, + { + "name": "TwilioKeyDetector" + } + ], + "results": {}, + "version": "0.13.1+ibm.62.dss", + "word_list": { + "file": null, + "hash": null + } +} From 6800408b6403aaa1c5684840b633902aefd8ecc5 Mon Sep 17 00:00:00 2001 From: Frederic Mercier Date: Tue, 27 Aug 2024 16:45:35 +0200 Subject: [PATCH 3/5] add GitHub action running detect-secrets --- .github/workflows/detect-secrets.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/detect-secrets.yml diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml new file mode 100644 index 0000000..d93a57d --- /dev/null +++ b/.github/workflows/detect-secrets.yml @@ -0,0 +1,25 @@ +name: detect secrets + +on: push + +# A workflow run is made up of one or more jobs that can run sequentially or in parallel +jobs: + # This workflow contains a single job called "detect-secrets" + detect-secrets: + runs-on: ubuntu-latest + + # Steps represent a sequence of tasks that will be executed as part of the job + steps: + + # Checks-out your repository under ${{github.workspace}}, so your job can access it + - uses: actions/checkout@v4 + + - name: scan all the files (not just the ones committed), generate a report, and check that there are no actual or potential secret + run: | + docker run --pull=always -a stdout \ + -v ${{github.workspace}}:/code \ + --entrypoint /bin/sh \ + icr.io/git-defenders/detect-secrets:0.13.1.ibm.61.dss-redhat-ubi \ + -c "detect-secrets --version; + detect-secrets scan --all-files --exclude-files "^.git/.*" --update .secrets.baseline; + detect-secrets audit --report --fail-on-unaudited --fail-on-live --fail-on-audited-real .secrets.baseline" From 115c32dabbedcc3e37332e1a19be2e515c2fb083 Mon Sep 17 00:00:00 2001 From: Frederic Mercier Date: Wed, 28 Aug 2024 12:02:04 +0200 Subject: [PATCH 4/5] send notification to Slack if detect-secrets failed --- .github/workflows/detect-secrets.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/detect-secrets.yml b/.github/workflows/detect-secrets.yml index d93a57d..693b321 100644 --- a/.github/workflows/detect-secrets.yml +++ b/.github/workflows/detect-secrets.yml @@ -23,3 +23,12 @@ jobs: -c "detect-secrets --version; detect-secrets scan --all-files --exclude-files "^.git/.*" --update .secrets.baseline; detect-secrets audit --report --fail-on-unaudited --fail-on-live --fail-on-audited-real .secrets.baseline" + + - name: Report Status + if: always() + uses: ravsamhq/notify-slack-action@master + with: + status: ${{ job.status }} + notify_when: 'failure' + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} From affe85f506d0ce290cffc7edbd650ff239dfce86 Mon Sep 17 00:00:00 2001 From: Laurent GRATEAU Date: Thu, 28 Nov 2024 14:43:42 +0100 Subject: [PATCH 5/5] Update README.md Memory no more needed --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1a8ded7..f231043 100644 --- a/README.md +++ b/README.md @@ -77,13 +77,13 @@ You must accept the license before you launch the image. The license is availabl To install the product with the sample projects, you need to specify the option -e SAMPLE=true. To be able to run simulations, you need to increase the size of the memory. Use the following docker command to run the image: ```console -docker run -e LICENSE=accept -p 9060:9060 -p 9443:9443 -m 2048M --memory-reservation 2048M -e SAMPLE=true icr.io/cpopen/odm-k8s/odm:9.0 +docker run -e LICENSE=accept -p 9060:9060 -p 9443:9443 -e SAMPLE=true icr.io/cpopen/odm-k8s/odm:9.0 ``` Some decision artifacts, like simulation definitions, version history, or snapshots, cannot be exported from the Decision Center or the Decision Server instances of the Docker image. To avoid losing this data when you delete the Docker image container, store the Decision Center and the Decision Server databases outside of the ODM for Developers Docker image container, in a local mounted host volume. To do so, run the following docker command from an empty local folder: ```console -docker run -e LICENSE=accept -m 2048M --memory-reservation 2048M -p 9060:9060 -p 9443:9443 -v $PWD:/config/dbdata/ -e SAMPLE=false icr.io/cpopen/odm-k8s/odm:9.0 +docker run -e LICENSE=accept -p 9060:9060 -p 9443:9443 -v $PWD:/config/dbdata/ -e SAMPLE=false icr.io/cpopen/odm-k8s/odm:9.0 ``` When you first run this command, it creates the .db files in your local folder. The following times, it reads and updates these files.