Merge branch 'master' into sean-r-williams/1643_nuget-v2-query-builder

PowerShell · May 9, 2024 · ee3162d · ee3162d
2 parents 6177669 + bab8095
commit ee3162d
Show file tree

Hide file tree

Showing 10 changed files with 136 additions and 23 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -14,3 +14,18 @@ updates:
     directory: "test/perf/benchmarks" # Location of package manifests
     schedule:
       interval: "daily"
+
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /
+    schedule:
+      interval: daily
+
+  - package-ecosystem: nuget
+    directory: /test/perf/benchmarks
+    schedule:
+      interval: daily
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -36,11 +36,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
       with:
         languages: ${{ matrix.language }}
     # ℹ️ Command-line programs to run using the OS shell.
@@ -55,6 +55,6 @@ jobs:
       name: Build
       
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@d39d31e687223d841ef683f52467bd88e9b21c14 # v3.25.3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,22 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Checkout Repository'
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -0,0 +1,71 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["master"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecards on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@ceaec5c11a131e0d282ff3b6f095917d234caace # v2.25.3
+        with:
+          sarif_file: results.sarif
diff --git a/nuget.config b/nuget.config
@@ -2,7 +2,7 @@
 <configuration>
   <packageSources>
     <clear />
-    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
+    <add key="PowerShellCore_PublicPackages" value="https://pkgs.dev.azure.com/powershell/PowerShell/_packaging/powershell/nuget/v3/index.json" />
   </packageSources>
   <disabledPackageSources>
     <clear />

diff --git a/src/code/ContainerRegistryServerAPICalls.cs b/src/code/ContainerRegistryServerAPICalls.cs
@@ -20,7 +20,6 @@
 using System.Text;
 using System.Security.Cryptography;
 using System.Text.Json;
-using System.Runtime.InteropServices.WindowsRuntime;
 
 namespace Microsoft.PowerShell.PSResourceGet
 {
@@ -48,8 +47,6 @@ internal class ContainerRegistryServerAPICalls : ServerApiCall
         const string containerRegistryStartUploadTemplate = "https://{0}/v2/{1}/blobs/uploads/"; // 0 - registry, 1 - packagename
         const string containerRegistryEndUploadTemplate = "https://{0}{1}&digest=sha256:{2}"; // 0 - registry, 1 - location, 2 - digest
 
-        private static readonly HttpClient s_client = new HttpClient();
-
         #endregion
 
         #region Constructor
@@ -65,6 +62,7 @@ public ContainerRegistryServerAPICalls(PSRepositoryInfo repository, PSCmdlet cmd
             };
 
             _sessionClient = new HttpClient(handler);
+            _sessionClient.Timeout = TimeSpan.FromMinutes(10);
             _sessionClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent", userAgentString);
         }
 
@@ -444,7 +442,7 @@ internal bool IsContainerRegistryUnauthenticated(string containerRegistyUrl, out
             HttpResponseMessage response;
             try
             {
-                response = s_client.SendAsync(new HttpRequestMessage(HttpMethod.Head, endpoint)).Result;
+                response = _sessionClient.SendAsync(new HttpRequestMessage(HttpMethod.Head, endpoint)).Result;
             }
             catch (Exception e)
             {
@@ -965,7 +963,7 @@ internal JObject GetHttpResponseJObjectUsingContentHeaders(string url, HttpMetho
         /// <summary>
         /// Get response headers.
         /// </summary>
-        internal static async Task<HttpResponseHeaders> GetHttpResponseHeader(string url, HttpMethod method, Collection<KeyValuePair<string, string>> defaultHeaders)
+        internal async Task<HttpResponseHeaders> GetHttpResponseHeader(string url, HttpMethod method, Collection<KeyValuePair<string, string>> defaultHeaders)
         {
             try
             {
@@ -982,24 +980,24 @@ internal static async Task<HttpResponseHeaders> GetHttpResponseHeader(string url
         /// <summary>
         /// Set default headers for HttpClient.
         /// </summary>
-        private static void SetDefaultHeaders(Collection<KeyValuePair<string, string>> defaultHeaders)
+        private void SetDefaultHeaders(Collection<KeyValuePair<string, string>> defaultHeaders)
         {
-            s_client.DefaultRequestHeaders.Clear();
+            _sessionClient.DefaultRequestHeaders.Clear();
             if (defaultHeaders != null)
             {
                 foreach (var header in defaultHeaders)
                 {
                     if (string.Equals(header.Key, "Authorization", StringComparison.OrdinalIgnoreCase))
                     {
-                        s_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", header.Value);
+                        _sessionClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", header.Value);
                     }
                     else if (string.Equals(header.Key, "Accept", StringComparison.OrdinalIgnoreCase))
                     {
-                        s_client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(header.Value));
+                        _sessionClient.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue(header.Value));
                     }
                     else
                     {
-                        s_client.DefaultRequestHeaders.Add(header.Key, header.Value);
+                        _sessionClient.DefaultRequestHeaders.Add(header.Key, header.Value);
                     }
                 }
             }
@@ -1008,11 +1006,11 @@ private static void SetDefaultHeaders(Collection<KeyValuePair<string, string>> d
         /// <summary>
         /// Sends request for content.
         /// </summary>
-        private static async Task<HttpContent> SendContentRequestAsync(HttpRequestMessage message)
+        private async Task<HttpContent> SendContentRequestAsync(HttpRequestMessage message)
         {
             try
             {
-                HttpResponseMessage response = await s_client.SendAsync(message);
+                HttpResponseMessage response = await _sessionClient.SendAsync(message);
                 response.EnsureSuccessStatusCode();
                 return response.Content;
             }
@@ -1025,12 +1023,12 @@ private static async Task<HttpContent> SendContentRequestAsync(HttpRequestMessag
         /// <summary>
         /// Sends HTTP request.
         /// </summary>
-        private static async Task<JObject> SendRequestAsync(HttpRequestMessage message)
+        private async Task<JObject> SendRequestAsync(HttpRequestMessage message)
         {
             HttpResponseMessage response;
             try
             {
-                response = await s_client.SendAsync(message);
+                response = await _sessionClient.SendAsync(message);
             }
             catch (Exception e)
             {
@@ -1058,11 +1056,11 @@ private static async Task<JObject> SendRequestAsync(HttpRequestMessage message)
         /// <summary>
         /// Send request to get response headers.
         /// </summary>
-        private static async Task<HttpResponseHeaders> SendRequestHeaderAsync(HttpRequestMessage message)
+        private async Task<HttpResponseHeaders> SendRequestHeaderAsync(HttpRequestMessage message)
         {
             try
             {
-                HttpResponseMessage response = await s_client.SendAsync(message);
+                HttpResponseMessage response = await _sessionClient.SendAsync(message);
                 response.EnsureSuccessStatusCode();
                 return response.Headers;
             }
@@ -1075,7 +1073,7 @@ private static async Task<HttpResponseHeaders> SendRequestHeaderAsync(HttpReques
         /// <summary>
         /// Sends a PUT request, used for publishing to container registry.
         /// </summary>
-        private static async Task<HttpResponseMessage> PutRequestAsync(string url, string filePath, bool isManifest, Collection<KeyValuePair<string, string>> contentHeaders)
+        private async Task<HttpResponseMessage> PutRequestAsync(string url, string filePath, bool isManifest, Collection<KeyValuePair<string, string>> contentHeaders)
         {
             try
             {
@@ -1094,7 +1092,7 @@ private static async Task<HttpResponseMessage> PutRequestAsync(string url, strin
                         httpContent.Headers.Add("Content-Type", "application/octet-stream");
                     }
 
-                    return await s_client.PutAsync(url, httpContent);
+                    return await _sessionClient.PutAsync(url, httpContent);
                 }
             }
             catch (Exception e)

diff --git a/src/code/NuGetServerAPICalls.cs b/src/code/NuGetServerAPICalls.cs
@@ -40,6 +40,7 @@ public NuGetServerAPICalls (PSRepositoryInfo repository, PSCmdlet cmdletPassedIn
             };
 
             _sessionClient = new HttpClient(handler);
+            _sessionClient.Timeout = TimeSpan.FromMinutes(10);
             _sessionClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent", userAgentString);
         }
 

diff --git a/src/code/ServerApiCall.cs b/src/code/ServerApiCall.cs
@@ -10,6 +10,7 @@
 using System.Text;
 using System.Runtime.ExceptionServices;
 using System.Management.Automation;
+using System;
 
 namespace Microsoft.PowerShell.PSResourceGet.Cmdlets
 {
@@ -43,13 +44,14 @@ public ServerApiCall(PSRepositoryInfo repository, NetworkCredential networkCrede
 
                 _sessionClient = new HttpClient(handler);
                 _sessionClient.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(byteArray));
-
             } else {
 
                 handler.Credentials = networkCredential;
 
                 _sessionClient = new HttpClient(handler);
             };
+            _sessionClient.Timeout = TimeSpan.FromMinutes(10);
+
         }
 
         #endregion

diff --git a/src/code/V2ServerAPICalls.cs b/src/code/V2ServerAPICalls.cs
@@ -76,6 +76,8 @@ public V2ServerAPICalls (PSRepositoryInfo repository, PSCmdlet cmdletPassedIn, N
                 _sessionClient = new HttpClient(handler);
             };
 
+            _sessionClient = new HttpClient(handler);
+            _sessionClient.Timeout = TimeSpan.FromMinutes(10);
             _sessionClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent", userAgentString);
             var repoURL = repository.Uri.ToString().ToLower();
             _isADORepo = repoURL.Contains("pkgs.dev.azure.com") || repoURL.Contains("pkgs.visualstudio.com");

diff --git a/src/code/V3ServerAPICalls.cs b/src/code/V3ServerAPICalls.cs
@@ -75,6 +75,8 @@ public V3ServerAPICalls(PSRepositoryInfo repository, PSCmdlet cmdletPassedIn, Ne
                 _sessionClient = new HttpClient(handler);
             };
 
+            _sessionClient = new HttpClient(handler);
+            _sessionClient.Timeout = TimeSpan.FromMinutes(10);
             _sessionClient.DefaultRequestHeaders.TryAddWithoutValidation("User-Agent", userAgentString);
 
             _isNuGetRepo = String.Equals(Repository.Uri.AbsoluteUri, nugetRepoUri, StringComparison.InvariantCultureIgnoreCase);