Merge pull request #26 from asimmon/feature/workflows

Added Semgrep code analysis and Renovate workflows

.github/workflows/renovate.yml

@@ -0,0 +1,26 @@
+name: Renovate
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "7 2 * * *"
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Use Node.js 18
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+
+      - name: Renovate
+        shell: bash
+        run: npx renovate $GITHUB_REPOSITORY
+        env:
+          RENOVATE_CONFIG_FILE: "renovate.json"
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}
+          LOG_LEVEL: "debug"

.github/workflows/semgrep.yml

@@ -0,0 +1,52 @@
+name: Semgrep scan
+
+on:
+  pull_request:
+    branches: [main]
+  workflow_dispatch: {}
+  schedule:
+    - cron: "50 21 * * 6"
+
+jobs:
+  semgrep:
+    runs-on: ubuntu-latest
+
+    # https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository
+    permissions:
+      security-events: write
+
+    container:
+      image: returntocorp/semgrep
+
+    steps:
+      - name: Checkout all commits and tags
+        uses: actions/checkout@v3
+        if: ${{ github.event_name == 'pull_request' }}
+        with:
+          fetch-depth: 0
+
+      - name: Checkout single commit
+        uses: actions/checkout@v3
+        if: ${{ github.event_name != 'pull_request' }}
+
+      - name: Pull request scan
+        if: ${{ github.event_name == 'pull_request' }}
+        run: semgrep scan --config=auto --verbose --time --error --baseline-commit ${{ github.event.pull_request.base.sha }}
+
+      - name: Full scan
+        if: ${{ github.event_name != 'pull_request' }}
+        run: semgrep scan --config=auto --verbose --time --sarif --output report.sarif
+
+      - name: Save report as pipeline artifact
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: report.sarif
+          path: report.sarif
+
+      - name: Publish code scanning alerts
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: report.sarif
+          category: semgrep

global.json

@@ -0,0 +1,7 @@
+{
+  "sdk": {
+    "version": "6.0.406",
+    "rollForward": "latestMinor",
+    "allowPrerelease": false
+  }
+}

renovate.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "platform": "github",
+  "labels": ["renovate"],
+  "extends": [
+    "config:base",
+    ":rebaseStalePrs"
+  ],
+  "enabledManagers": [
+    "github-actions",
+    "nuget"
+  ],
+  "stabilityDays": 3,
+  "prHourlyLimit": 0,
+  "prConcurrentLimit": 0,
+  "branchConcurrentLimit": 0,
+  "dependencyDashboard": false,
+  "gitAuthor": "Renovate Bot <[email protected]>",
+  "packageRules": [
+    {
+      "matchManagers": ["nuget"],
+      "groupName": "NuGet dependencies"
+    },
+    {
+      "matchManagers": ["nuget"],
+      "matchPackageNames": ["MongoDB.Driver"],
+      "groupName": "Ignored MongoDB.Driver",
+      "description": "We only set a minimum required version, any vulnerabilities will still be reported",
+      "enabled": false
+    },
+    {
+      "matchPackageNames": ["dotnet-sdk"],
+      "groupName": "Dotnet SDK",
+      "description": "Only update patch and minor for the dotnet SDK version within the global.json",
+      "extends": [":disableMajorUpdates"]
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "groupName": "Pipeline dependencies"
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true,
+    "labels": ["security"]
+  }
+}