From 806079d20314f83869c7bdd3ffa16e28215a53a4 Mon Sep 17 00:00:00 2001 From: JoftheV <162925657+JoftheV@users.noreply.github.com> Date: Thu, 29 May 2025 06:44:35 -0500 Subject: [PATCH 1/5] Create generator-generic-ossf-slsa3-publish.yml --- .../generator-generic-ossf-slsa3-publish.yml | 66 +++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 000000000000000..35c829b139b59c6 --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,66 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release From 0a8309696fd1de72e39fc29759b14d0029bc2df4 Mon Sep 17 00:00:00 2001 From: JoftheV <162925657+JoftheV@users.noreply.github.com> Date: Thu, 29 May 2025 06:50:03 -0500 Subject: [PATCH 2/5] Create setup-nodejs.yml --- .github/workflows/setup-nodejs.yml | 43 ++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/setup-nodejs.yml diff --git a/.github/workflows/setup-nodejs.yml b/.github/workflows/setup-nodejs.yml new file mode 100644 index 000000000000000..ef58e69919a94e6 --- /dev/null +++ b/.github/workflows/setup-nodejs.yml @@ -0,0 +1,43 @@ +name: 'Setup Node.js environment' +description: 'Setup a Node.js environment by adding problem matchers and optionally downloading and adding it to the PATH.' +author: 'GitHub' +inputs: + always-auth: + description: 'Set always-auth in npmrc.' + default: 'false' + node-version: + description: 'Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0.' + node-version-file: + description: 'File containing the version Spec of the version to use. Examples: package.json, .nvmrc, .node-version, .tool-versions.' + architecture: + description: 'Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default.' + check-latest: + description: 'Set this option if you want the action to check for the latest available version that satisfies the version spec.' + default: false + registry-url: + description: 'Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN.' + scope: + description: 'Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/).' + token: + description: Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. + default: ${{ github.server_url == 'https://github.com' && github.token || '' }} + cache: + description: 'Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm.' + cache-dependency-path: + description: 'Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies.' + mirror: + description: 'Used to specify an alternative mirror to downlooad Node.js binaries from' + mirror-token: + description: 'The token used as Authorization header when fetching from the mirror' +# TODO: add input to control forcing to pull from cloud or dist. +# escape valve for someone having issues or needing the absolute latest which isn't cached yet +outputs: + cache-hit: + description: 'A boolean value to indicate if a cache was hit.' + node-version: + description: 'The installed node version.' +runs: + using: 'node20' + main: 'dist/setup/index.js' + post: 'dist/cache-save/index.js' + post-if: success() From 2ed2e75fe36f863a6eba061ceb722941a250c341 Mon Sep 17 00:00:00 2001 From: JoftheV <162925657+JoftheV@users.noreply.github.com> Date: Thu, 29 May 2025 06:52:47 -0500 Subject: [PATCH 3/5] Create runner --- .github/workflows/macos-latest/runner | 1 + 1 file changed, 1 insertion(+) create mode 100644 .github/workflows/macos-latest/runner diff --git a/.github/workflows/macos-latest/runner b/.github/workflows/macos-latest/runner new file mode 100644 index 000000000000000..4482cdde371ac82 --- /dev/null +++ b/.github/workflows/macos-latest/runner @@ -0,0 +1 @@ +macos-latest From ba34442a2e796a46ccc16dac0005705430f3459d Mon Sep 17 00:00:00 2001 From: JoftheV <162925657+JoftheV@users.noreply.github.com> Date: Sat, 7 Jun 2025 14:43:32 -0500 Subject: [PATCH 4/5] Create jekyll-gh-pages.yml --- .github/workflows/jekyll-gh-pages.yml | 51 +++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/jekyll-gh-pages.yml diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml new file mode 100644 index 000000000000000..bc06fd1976c6bc7 --- /dev/null +++ b/.github/workflows/jekyll-gh-pages.yml @@ -0,0 +1,51 @@ +# Sample workflow for building and deploying a Jekyll site to GitHub Pages +name: Deploy Jekyll with GitHub Pages dependencies preinstalled + +on: + # Runs on pushes targeting the default branch + push: + branches: ["production"] + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages +permissions: + contents: read + pages: write + id-token: write + +# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. +# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. +concurrency: + group: "pages" + cancel-in-progress: false + +jobs: + # Build job + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Setup Pages + uses: actions/configure-pages@v5 + - name: Build with Jekyll + uses: actions/jekyll-build-pages@v1 + with: + source: ./ + destination: ./_site + - name: Upload artifact + uses: actions/upload-pages-artifact@v3 + + # Deployment job + deploy: + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From d92cbba1332b870f3ffb42522af64ae25ba4e97e Mon Sep 17 00:00:00 2001 From: JoftheV <162925657+JoftheV@users.noreply.github.com> Date: Sat, 7 Jun 2025 15:49:08 -0500 Subject: [PATCH 5/5] Update .github/workflows/setup-nodejs.yml Co-authored-by: windsurf-bot[bot] <189301087+windsurf-bot[bot]@users.noreply.github.com> --- .github/workflows/setup-nodejs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/setup-nodejs.yml b/.github/workflows/setup-nodejs.yml index ef58e69919a94e6..1a307c9a68f6b0e 100644 --- a/.github/workflows/setup-nodejs.yml +++ b/.github/workflows/setup-nodejs.yml @@ -26,7 +26,7 @@ inputs: cache-dependency-path: description: 'Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies.' mirror: - description: 'Used to specify an alternative mirror to downlooad Node.js binaries from' + description: 'Used to specify an alternative mirror to download Node.js binaries from' mirror-token: description: 'The token used as Authorization header when fetching from the mirror' # TODO: add input to control forcing to pull from cloud or dist.