From fc734b44a55b41f0f9cacb9d8ed6d11a33a22e8a Mon Sep 17 00:00:00 2001 From: Petro Tiurin <93913847+ptiurin@users.noreply.github.com> Date: Thu, 30 Dec 2021 16:04:26 +0000 Subject: [PATCH 1/8] feat: Scan code for security issues --- .github/workflows/security-scan.yml | 35 +++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 00000000000..62852836b25 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,35 @@ +name: Firebolt Security Scan + +on: + workflow_dispatch: + push: + branches: [ main ] + +jobs: + fossa-scan: + runs-on: ubuntu-latest + steps: + - name: "Checkout Code" + uses: actions/checkout@v2 + + - name: "Run FOSSA Scan" + uses: fossas/fossa-action@v1.1.0 + with: + api-key: ${{secrets.fossaApiKey}} + + - name: "Run FOSSA Test" + uses: fossas/fossa-action@v1.1.0 + with: + api-key: ${{secrets.fossaApiKey}} + run-tests: true + sonar-scan: + runs-on: ubuntu-latest + steps: + - name: "Checkout Code" + uses: actions/checkout@v2 + + - name: SonarCloud Scan + uses: SonarSource/sonarcloud-github-action@v1.6 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} From 33e259612ce8c9ce62180b2ca5ffed519c4f9a7b Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Wed, 5 Jan 2022 09:24:36 +0000 Subject: [PATCH 2/8] Working scans --- .fossa.yml | 9 +++++++++ .github/workflows/release.yml | 11 ++++++++++- .github/workflows/security-scan.yml | 25 +++++++++++++++++++------ setup.py | 3 +++ 4 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 .fossa.yml create mode 100644 setup.py diff --git a/.fossa.yml b/.fossa.yml new file mode 100644 index 00000000000..2570cfd7b1c --- /dev/null +++ b/.fossa.yml @@ -0,0 +1,9 @@ +version: 3 + +project: + id: git+github.com/firebolt-db/firebolt-python-sdk + name: firebolt-python-sdk + +targets: + only: + - type: setuptools diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cda2bddb705..aec2f333277 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,6 +19,8 @@ jobs: publish: runs-on: ubuntu-latest + permissions: + contents: write needs: integration-tests steps: - name: Check out code @@ -59,11 +61,18 @@ jobs: git commit -m "Automatic version bump to ${{ steps.tag_generation.outputs.new_tag }}" git push origin main - - name: Publish to github + - name: Publish tag on github run: | git tag ${{ steps.tag_generation.outputs.new_tag }} git push origin ${{ steps.tag_generation.outputs.new_tag }} + - name: Release on github + uses: softprops/action-gh-release@v1 + with: + tag_name: ${{ steps.tag_generation.outputs.new_tag }} + generate_release_notes: true + prerelease: ${{ github.event.inputs.preReleaseTag != '' }} + - name: Publish to pypi run: | python3 -m build diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 62852836b25..a690b1191a8 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -2,6 +2,7 @@ name: Firebolt Security Scan on: workflow_dispatch: + pull_request: push: branches: [ main ] @@ -12,16 +13,23 @@ jobs: - name: "Checkout Code" uses: actions/checkout@v2 + - name: "Fossa branch fix" + if: ${{ github.event_name == 'pull_request' }} + run: | + git fetch + git branch --track ${GITHUB_HEAD_REF##*/} origin/${GITHUB_HEAD_REF##*/} + git checkout ${GITHUB_HEAD_REF##*/} + + - name: "Build" + run: | + python3 -m pip install build + python3 -m build + - name: "Run FOSSA Scan" - uses: fossas/fossa-action@v1.1.0 + uses: fossas/fossa-action@v1 with: api-key: ${{secrets.fossaApiKey}} - - name: "Run FOSSA Test" - uses: fossas/fossa-action@v1.1.0 - with: - api-key: ${{secrets.fossaApiKey}} - run-tests: true sonar-scan: runs-on: ubuntu-latest steps: @@ -33,3 +41,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + with: + args: > + -Dsonar.organization=firebolt-db + -Dsonar.projectKey=firebolt-db_firebolt-python-sdk + -Dsonar.sources=src diff --git a/setup.py b/setup.py new file mode 100644 index 00000000000..606849326a4 --- /dev/null +++ b/setup.py @@ -0,0 +1,3 @@ +from setuptools import setup + +setup() From 76fb8ad902904ea5d8d6164d543b0c9c6849ad64 Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Fri, 7 Jan 2022 07:30:58 +0000 Subject: [PATCH 3/8] Test with pipenv --- .github/workflows/security-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index a690b1191a8..54dcf1b28e2 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -22,8 +22,8 @@ jobs: - name: "Build" run: | - python3 -m pip install build - python3 -m build + python3 -m pip install pipenv + python3 -m pipenv install -e . - name: "Run FOSSA Scan" uses: fossas/fossa-action@v1 From 9a756f8fd8f82f0cc69ef0d02e8de11140a07ea6 Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Fri, 7 Jan 2022 07:33:58 +0000 Subject: [PATCH 4/8] Pipenv target --- .fossa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.fossa.yml b/.fossa.yml index 2570cfd7b1c..2368780f310 100644 --- a/.fossa.yml +++ b/.fossa.yml @@ -6,4 +6,4 @@ project: targets: only: - - type: setuptools + - type: pipenv From 1bd1f9005bd48d9380776c882463fce7976ee0a1 Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Fri, 7 Jan 2022 08:06:51 +0000 Subject: [PATCH 5/8] No need for setup.py --- setup.py | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 setup.py diff --git a/setup.py b/setup.py deleted file mode 100644 index 606849326a4..00000000000 --- a/setup.py +++ /dev/null @@ -1,3 +0,0 @@ -from setuptools import setup - -setup() From e0d6d228d8a1dbe352d1228d1c2639704d9b05b0 Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Fri, 7 Jan 2022 11:24:37 +0000 Subject: [PATCH 6/8] Using composite action --- .github/workflows/security-scan.yml | 35 ++--------------------------- 1 file changed, 2 insertions(+), 33 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 54dcf1b28e2..01ab7af7e22 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -13,36 +13,5 @@ jobs: - name: "Checkout Code" uses: actions/checkout@v2 - - name: "Fossa branch fix" - if: ${{ github.event_name == 'pull_request' }} - run: | - git fetch - git branch --track ${GITHUB_HEAD_REF##*/} origin/${GITHUB_HEAD_REF##*/} - git checkout ${GITHUB_HEAD_REF##*/} - - - name: "Build" - run: | - python3 -m pip install pipenv - python3 -m pipenv install -e . - - - name: "Run FOSSA Scan" - uses: fossas/fossa-action@v1 - with: - api-key: ${{secrets.fossaApiKey}} - - sonar-scan: - runs-on: ubuntu-latest - steps: - - name: "Checkout Code" - uses: actions/checkout@v2 - - - name: SonarCloud Scan - uses: SonarSource/sonarcloud-github-action@v1.6 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - with: - args: > - -Dsonar.organization=firebolt-db - -Dsonar.projectKey=firebolt-db_firebolt-python-sdk - -Dsonar.sources=src + - name: "Security Scan" + uses: firebolt-db/action-security-scan@main From 4219cc647a6ba0b92d6a56e12787c6e455974ba6 Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Fri, 7 Jan 2022 11:29:09 +0000 Subject: [PATCH 7/8] Passing secrets --- .github/workflows/security-scan.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 01ab7af7e22..3536bc68cbe 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -15,3 +15,7 @@ jobs: - name: "Security Scan" uses: firebolt-db/action-security-scan@main + with: + github-key: ${{ secrets.GITHUB_TOKEN }} + fossa-key: ${{ secrets.fossaApiKey }} + sonar-key: ${{ secrets.SONAR_TOKEN }} From 929a34a3e2f89a1d9187a94514d8c24f7de80950 Mon Sep 17 00:00:00 2001 From: Petro Tiurin Date: Mon, 10 Jan 2022 21:34:49 +0000 Subject: [PATCH 8/8] better names --- .github/workflows/security-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 3536bc68cbe..cf00c75e11f 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -7,7 +7,7 @@ on: branches: [ main ] jobs: - fossa-scan: + security-scan: runs-on: ubuntu-latest steps: - name: "Checkout Code" @@ -17,5 +17,5 @@ jobs: uses: firebolt-db/action-security-scan@main with: github-key: ${{ secrets.GITHUB_TOKEN }} - fossa-key: ${{ secrets.fossaApiKey }} + fossa-key: ${{ secrets.FOSSA_API_KEY }} sonar-key: ${{ secrets.SONAR_TOKEN }}