From 3a0b2894c2bd05b2ecca35c3997b0057ad9bc5b1 Mon Sep 17 00:00:00 2001 From: Mohammad Yosefpor Date: Sun, 26 Nov 2023 02:41:16 +0330 Subject: [PATCH] fix --- .github/dependabot.yml | 6 ++-- .github/workflows/ci.yml | 2 +- .github/workflows/cifuzz.yml | 27 --------------- .github/workflows/release.yml | 55 ------------------------------ .github/workflows/scorecards.yml | 56 ------------------------------- .github/workflows/trivy-scan.yaml | 33 ------------------ 6 files changed, 4 insertions(+), 175 deletions(-) delete mode 100644 .github/workflows/cifuzz.yml delete mode 100644 .github/workflows/release.yml delete mode 100644 .github/workflows/scorecards.yml delete mode 100644 .github/workflows/trivy-scan.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 890eb28a54a..5058b9345d8 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,12 +8,12 @@ updates: groups: dev-dependencies: patterns: - - "*" + - "*" - package-ecosystem: "github-actions" directory: "/" schedule: - interval: "weekly" + interval: "monthly" groups: dev-dependencies: patterns: - - "*" + - "*" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc4db17e754..b58e3e628ca 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: - uses: actions/checkout@v2 - uses: actions/setup-go@v2 with: - go-version: '^1.17.0' + go-version: '^1.20.0' - run: go test -v ./... -covermode=atomic -coverprofile=coverage.out - uses: codecov/codecov-action@v1 with: diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml deleted file mode 100644 index 1cc71736981..00000000000 --- a/.github/workflows/cifuzz.yml +++ /dev/null @@ -1,27 +0,0 @@ -name: CIFuzz -on: - pull_request: - branches: - - master -jobs: - Fuzzing: - runs-on: ubuntu-latest - steps: - - name: Build Fuzzers - id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master # cifuzz can't be pinned https://github.com/google/oss-fuzz/issues/6836 - with: - oss-fuzz-project-name: "go-coredns" - dry-run: false - - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master # cifuzz can't be pinned - with: - oss-fuzz-project-name: "go-coredns" - fuzz-seconds: 600 - dry-run: false - - name: Upload Crash - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 - if: failure() && steps.build.outcome == 'success' - with: - name: artifacts - path: ./out/artifacts diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 26481291344..00000000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: Release - -on: - workflow_dispatch: - inputs: - commit: - description: "Commit (e.g., 52f0348)" - default: "master" - -jobs: - release: - name: Release - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.inputs.commit }} - - name: Set up info - run: | - set -x -e - VERSION=$(make -f Makefile.release version) - COMMIT=$(git rev-parse --quiet --verify ${{ github.event.inputs.commit }}) - if [[ "$(git tag -l v${VERSION})" == "v${VERSION}" ]]; then - echo "v${VERSION} already released" - exit 1 - fi - echo "commit=${COMMIT}" >> $GITHUB_OUTPUT - echo "version=${VERSION}" >> $GITHUB_OUTPUT - id: info - - name: Build release binary - run: make -f Makefile.release release - - name: Build release binary sha256 - run: (cd release; for asset in `ls -A *tgz`; do sha256sum $asset > $asset.sha256; done) - - name: Remove hidden section - run: sed '/+++/,//d' notes/coredns-${{ steps.info.outputs.version}}.md > release.md - - name: Log release info - run: | - set -x -e - git log -1 - echo ${{ steps.info.outputs.commit }} - echo ${{ steps.info.outputs.version }} - cat release.md - sha256sum release/*.tgz - - name: Draft release - uses: softprops/action-gh-release@v1 - with: - body_path: release.md - name: v${{ steps.info.outputs.version }} - tag_name: v${{ steps.info.outputs.version }} - target_commitish: ${{ steps.info.outputs.commit }} - files: | - release/*.tgz - release/*.tgz.sha256 - draft: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml deleted file mode 100644 index 19bc896c641..00000000000 --- a/.github/workflows/scorecards.yml +++ /dev/null @@ -1,56 +0,0 @@ -name: Scorecards supply-chain security -on: - # Only the default branch is supported. - branch_protection_rule: - schedule: - - cron: '36 10 * * 3' - push: - branches: [ master ] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecards analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - actions: read - contents: read - id-token: write - - steps: - - name: "Checkout code" - uses: actions/checkout@v4 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 - with: - results_file: results.sarif - results_format: sarif - # Read-only PAT token. To create it, - # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation. - repo_token: ${{ secrets.SCORECARD_READ_TOKEN }} - # Publish the results to enable scorecard badges. For more details, see - # https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories, `publish_results` will automatically be set to `false`, - # regardless of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). - - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a - with: - sarif_file: results.sarif diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml deleted file mode 100644 index 8dd7dfc8530..00000000000 --- a/.github/workflows/trivy-scan.yaml +++ /dev/null @@ -1,33 +0,0 @@ -name: Trivy Nightly Scan -on: - schedule: - - cron: '0 2 * * 5' # Run at 2AM UTC on every Friday - -permissions: read-all -jobs: - nightly-scan: - name: Trivy Scan nightly - strategy: - fail-fast: false - matrix: - # It will test for only the latest version as older version is not maintained - versions: [latest] - permissions: - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@2b6a709cf9c4025c5438138008beaddbb02086f0 # master - with: - image-ref: 'docker.io/coredns/coredns:${{ matrix.versions }}' - severity: 'CRITICAL,HIGH' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4 - with: - sarif_file: 'trivy-results.sarif'