diff --git a/.github/actions/get-changelog/action.yml b/.github/actions/get-changelog/action.yml index 79df66443b..f0ce5d6977 100644 --- a/.github/actions/get-changelog/action.yml +++ b/.github/actions/get-changelog/action.yml @@ -4,5 +4,5 @@ outputs: changelog: description: 'The current changelog' runs: - using: 'node16' + using: 'node24' main: 'index.js' diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 11c102e3cd..a73d2dd907 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -77,8 +77,9 @@ runs: if: ${{ inputs.skip-install == 'false' }} env: NODE_AUTH_TOKEN: ${{ inputs.registry-token }} + INPUTS_PNPM_INSTALL_ARGS: ${{ inputs.pnpm-install-args }} shell: bash - run: pnpm install --ignore-scripts ${{ inputs.pnpm-install-args }} + run: pnpm install --ignore-scripts ${INPUTS_PNPM_INSTALL_ARGS} - name: Run lifecycle scripts if: ${{ inputs.skip-install == 'false' && inputs.skip-build == 'false' }} shell: bash diff --git a/.github/workflows/api-docs.yml b/.github/workflows/api-docs.yml index d52b214506..c7f6e0b9c8 100644 --- a/.github/workflows/api-docs.yml +++ b/.github/workflows/api-docs.yml @@ -42,20 +42,21 @@ jobs: GIT_USER: cloud-sdk-js BOT_EMAIL: ${{ vars.SAP_CLOUD_SDK_BOT_EMAIL }} BOT_NAME: ${{ vars.SAP_CLOUD_SDK_BOT_NAME }} + FULL_VERSION: ${{ inputs.version }} run: | gh auth setup-git git config user.email "$BOT_EMAIL" git config user.name "$BOT_NAME" # Extract major version from input (e.g., v4.5.0 -> v4) - FULL_VERSION="${{ inputs.version }}" - MAJOR_VERSION=$(echo $FULL_VERSION | sed 's/\(v[0-9]*\).*/\1/') + # shellcheck disable=SC2001 + MAJOR_VERSION=$(echo "$FULL_VERSION" | sed 's/\(v[0-9]*\).*/\1/') cd .. git clone --depth 1 https://github.com/SAP/cloud-sdk.git # Copy generated docs to versioned folder - rsync -avz --delete cloud-sdk-js/knowledge-base/api-reference/ cloud-sdk/static/api/${MAJOR_VERSION}/ + rsync -avz --delete cloud-sdk-js/knowledge-base/api-reference/ "cloud-sdk/static/api/${MAJOR_VERSION}/" cd cloud-sdk git add -A diff --git a/.github/workflows/auto-dependabot-fix.yml b/.github/workflows/auto-dependabot-fix.yml index 6e04705e9d..59496a6913 100644 --- a/.github/workflows/auto-dependabot-fix.yml +++ b/.github/workflows/auto-dependabot-fix.yml @@ -5,7 +5,7 @@ on: jobs: building: - if: github.actor == 'dependabot[bot]' && !github.event.pull_request.head.repo.fork + if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: - id: app-token @@ -27,7 +27,7 @@ jobs: BOT_EMAIL: ${{ vars.SAP_CLOUD_SDK_BOT_EMAIL }} BOT_NAME: ${{ vars.SAP_CLOUD_SDK_BOT_NAME }} run: | - diff=`git diff` + diff=$(git diff) if [ ! -z "$diff" ]; then git config --global user.email "$BOT_EMAIL" git config --global user.name "$BOT_NAME" diff --git a/.github/workflows/auto-lint.yml b/.github/workflows/auto-lint.yml index b761078d5b..aba9203e69 100644 --- a/.github/workflows/auto-lint.yml +++ b/.github/workflows/auto-lint.yml @@ -5,7 +5,7 @@ on: jobs: linting: - if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork + if: github.actor != 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name runs-on: ubuntu-latest steps: - id: app-token @@ -29,7 +29,7 @@ jobs: BOT_EMAIL: ${{ vars.SAP_CLOUD_SDK_BOT_EMAIL }} BOT_NAME: ${{ vars.SAP_CLOUD_SDK_BOT_NAME }} run: | - diff=`git diff` + diff=$(git diff) if [ ! -z "$diff" ]; then git config --global user.email "$BOT_EMAIL" git config --global user.name "$BOT_NAME" diff --git a/.github/workflows/blackduck.yml b/.github/workflows/blackduck.yml index c57ceb11e5..60a62eff21 100644 --- a/.github/workflows/blackduck.yml +++ b/.github/workflows/blackduck.yml @@ -14,7 +14,7 @@ jobs: with: registry-token: ${{ secrets.NPM_TOKEN_ARTIFACTORY }} - run: sudo apt-get install jq - - run: echo "project_version=$(cat package.json | jq '.version' | tr -d '"')" >> $GITHUB_ENV + - run: echo "project_version=$(cat package.json | jq '.version' | tr -d '"')" >> "$GITHUB_ENV" - name: Blackduck Scan env: PIPER_token: ${{ secrets.BLACKDUCK_TOKEN }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 5a6608608d..066ab6e343 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -107,7 +107,7 @@ jobs: dependabot: runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request' }} + if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name }} needs: [tests, checks, e2e-tests] permissions: pull-requests: write @@ -148,15 +148,15 @@ jobs: run: | lastCommitDate=$(git --no-pager log -n 1 "$REF_NAME" --pretty=format:"%at") curDate=$(date +%s) - dateDiff=$(expr $curDate - $lastCommitDate) - echo $lastCommitDate, $curDate, $dateDiff + dateDiff=$(( curDate - lastCommitDate )) + echo "$lastCommitDate, $curDate, $dateDiff" if [[ $dateDiff -gt 86400 ]] then echo "No new commit found on $REF within the last 24 hrs." - echo "skip-release=true" >> $GITHUB_OUTPUT + echo "skip-release=true" >> "$GITHUB_OUTPUT" else - echo "skip-release=false" >> $GITHUB_OUTPUT + echo "skip-release=false" >> "$GITHUB_OUTPUT" fi canary-release: @@ -177,10 +177,10 @@ jobs: package-manager-cache: false - name: Canary Release run: | - date=`date +%Y%m%d%H%M%S` + date=$(date +%Y%m%d%H%M%S) rm -f .changeset/*.md cp canary-release-changeset.md .changeset - pnpm changeset pre enter ${date} + pnpm changeset pre enter "${date}" pnpm changeset version pnpm changeset pre exit pnpm changeset publish --tag canary @@ -201,8 +201,8 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} CHANGELOG: ${{ steps.get-changelog.outputs.changelog }} run: | - gh release create "${{ github.ref_name }}" \ - --title "${{ github.ref_name }}" \ + gh release create "${GITHUB_REF_NAME}" \ + --title "${GITHUB_REF_NAME}" \ --verify-tag \ --notes "$CHANGELOG" \ --draft diff --git a/.github/workflows/check-pr.yml b/.github/workflows/check-pr.yml index c205519cac..0d20b7d889 100644 --- a/.github/workflows/check-pr.yml +++ b/.github/workflows/check-pr.yml @@ -12,6 +12,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Collect changed files id: changed-files uses: step-security/changed-files@2e07db73e5ccdb319b9a6c7766bd46d39d304bad # v47.0.5 diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3658912199..443a8dff2f 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -35,6 +35,7 @@ jobs: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. fetch-depth: 2 + persist-credentials: false # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/fosstars-report.yml b/.github/workflows/fosstars-report.yml index 0c7e6eaf8f..7f04422173 100644 --- a/.github/workflows/fosstars-report.yml +++ b/.github/workflows/fosstars-report.yml @@ -12,6 +12,8 @@ jobs: contents: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: SAP/fosstars-rating-core-action@daf10c3920b53405f6013ee987e7015525fdec30 # v1.14.0 with: report-branch: fosstars-report diff --git a/.github/workflows/gha-security-scan.yaml b/.github/workflows/gha-security-scan.yaml new file mode 100644 index 0000000000..91aa664d59 --- /dev/null +++ b/.github/workflows/gha-security-scan.yaml @@ -0,0 +1,26 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ['main'] + pull_request: + branches: ['**'] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + contents: read # Only needed for private repos. Needed to clone the repo. + actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 diff --git a/.github/workflows/memory-tests.yml b/.github/workflows/memory-tests.yml index 81e830e7cf..deb3897e7b 100644 --- a/.github/workflows/memory-tests.yml +++ b/.github/workflows/memory-tests.yml @@ -31,7 +31,7 @@ jobs: - working-directory: test-packages/memory-tests/sdk-canary/ run: node --inspect test-script.js && cat result.txt - name: compare v2 and canary - run: pnpm exec ts-node scripts/compare-memory-usage.ts $(cat ./test-packages/memory-tests/sdk-v2/result.txt) $(cat ./test-packages/memory-tests/sdk-canary/result.txt) + run: pnpm exec ts-node scripts/compare-memory-usage.ts "$(cat ./test-packages/memory-tests/sdk-v2/result.txt)" "$(cat ./test-packages/memory-tests/sdk-canary/result.txt)" - name: Slack Notify if: failure() || cancelled() env: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 379de4f086..a21f2e429e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -39,6 +39,7 @@ jobs: token: ${{ steps.app-token.outputs.token }} fetch-depth: 0 # otherwise, there would be errors pushing refs to the destination repository. path: ./cloud-sdk + persist-credentials: true - name: Update release notes run: | npx ts-node -e "import { addCurrentChangelog } from './scripts/add-changelog'; addCurrentChangelog()" diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 0000000000..569fe05830 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,21 @@ +rules: + # already following SAP policies + dependabot-cooldown: + disable: true + # requires more effort to fix + secrets-inherit: + ignore: + - bump.yml + - release-entry.yml + # requires more effort to fix + excessive-permissions: + disable: true + dangerous-triggers: + ignore: + - auto-dependabot-fix.yml + # allow unpinned references to own repositories + unpinned-uses: + config: + policies: + 'sap/ai-sdk-js/*': any + 'sap/cloud-sdk-js/*': any