Merge branch 'actions:main' into fortify-updates

Author: rsenden

CODEOWNERS

@@ -1,4 +1,5 @@
-* @actions/actions-workflow-development-reviewers
+* @actions/actions-workflow-development-reviewers @actions/starter-workflows
 
-/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph
-/pages/ @actions/pages @actions/actions-workflow-development-reviewers
+/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows
+/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows
+/pages/ @actions/pages @actions/actions-workflow-development-reviewers @actions/starter-workflows

ci/dotnet-desktop.yml

@@ -63,19 +63,19 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     # Install the .NET Core workload
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 6.0.x
+        dotnet-version: 8.0.x
 
     # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
     - name: Setup MSBuild.exe
-      uses: microsoft/setup-msbuild@v1.0.2
+      uses: microsoft/setup-msbuild@v2
 
     # Execute all unit tests in the solution
     - name: Execute unit tests

ci/dotnet.yml

@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 6.0.x
+        dotnet-version: 8.0.x
     - name: Restore dependencies
       run: dotnet restore
     - name: Build

ci/gradle-publish.yml

@@ -30,7 +30,7 @@ jobs:
         settings-path: ${{ github.workspace }} # location for the settings.xml file
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+      uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
 
     - name: Build with Gradle
       run: ./gradlew build

ci/gradle.yml

@@ -31,7 +31,7 @@ jobs:
     # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
     # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+      uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
 
     - name: Build with Gradle Wrapper
       run: ./gradlew build
@@ -40,7 +40,7 @@ jobs:
     # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
     #
     # - name: Setup Gradle
-    #   uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+    #   uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
     #   with:
     #     gradle-version: '8.5'
     #
@@ -64,4 +64,4 @@ jobs:
     # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
     # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+      uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0

ci/laravel.yml

@@ -28,8 +28,8 @@ jobs:
       run: |
         mkdir -p database
         touch database/database.sqlite
-    - name: Execute tests (Unit and Feature tests) via PHPUnit
+    - name: Execute tests (Unit and Feature tests) via PHPUnit/Pest
       env:
         DB_CONNECTION: sqlite
         DB_DATABASE: database/database.sqlite
-      run: vendor/bin/phpunit
+      run: php artisan test

code-scanning/codeql.yml

@@ -21,31 +21,37 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     # Runner size impacts CodeQL analysis time. To learn more, please see:
     #   - https://gh.io/recommended-hardware-resources-for-running-codeql
     #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners
-    # Consider using larger runners for possible analysis time improvements.
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:
       # required for all workflows
       security-events: write
 
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
       # only required for workflows in private repositories
       actions: read
       contents: read
 
     strategy:
       fail-fast: false
       matrix:
-        language: [ $detected-codeql-languages ]
-        # CodeQL supports [ $supported-codeql-languages ]
-        # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
-
+        $codeql-languages-matrix
+        # CodeQL supports the following values keywords for 'language': $supported-codeql-languages
+        # Use `c-cpp` to analyze code written in C, C++ or both
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4
@@ -55,28 +61,28 @@ jobs:
       uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
 
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-
-    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
-
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #     echo "Run, Build Application using script"
-    #     ./location_of_script_within_repo/buildscript.sh
+    - if: matrix.build-mode == 'manual'
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3

code-scanning/dependency-review.yml

@@ -20,8 +20,8 @@ on:
 # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
 permissions:
   contents: read
-  # Required if `comment-summary-in-pr: true` is uncommented below
-  # pull-requests: write
+  # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
+  pull-requests: write
 
 jobs:
   dependency-review:
@@ -32,8 +32,8 @@ jobs:
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
         # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
-        # with:
+        with:
+          comment-summary-in-pr: always
         #   fail-on-severity: moderate
         #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
-        #   comment-summary-in-pr: true
         #   retry-on-snapshot-warnings: true

code-scanning/detekt.yml

@@ -13,7 +13,7 @@
 # 4. Manually, on demand, via the "workflow_dispatch" event
 #
 # The workflow should work with no modifications, but you might like to use a
-# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
+# later version of the Detekt CLI by modifying the $DETEKT_RELEASE_TAG
 # environment variable.
 name: Scan with Detekt
 

code-scanning/endorlabs.yml

@@ -24,7 +24,7 @@ jobs:
       uses: actions/checkout@v3
     #### Package Build Instructions
     ### Use this section to define the build steps used by your software package.
-    ### Endor Labs builds your software for you where possible but the required build tools must be made availible.
+    ### Endor Labs builds your software for you where possible but the required build tools must be made available.
     # - name: Setup Java
     #   uses: actions/setup-java@v3
     #   with:

code-scanning/osv-scanner.yml

@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
+# in addition to a PR check which fails if new vulnerabilities are introduced.
+#
+# For more examples and options, including how to ignore specific vulnerabilities,
+# see https://google.github.io/osv-scanner/github-action/
+
+name: OSV-Scanner
+
+on:
+  pull_request:
+    branches: [ $default-branch, $protected-branches ]
+  merge_group:
+    branches: [ $default-branch, $protected-branches ]
+  schedule:
+    - cron: $cron-weekly
+  push:
+    branches: [ $default-branch, $protected-branches ]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
+jobs:
+  scan-scheduled:
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      # Example of specifying custom arguments
+      scan-args: |-
+        -r
+        --skip-git
+        ./
+  scan-pr:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      # Example of specifying custom arguments
+      scan-args: |-
+        -r
+        --skip-git
+        ./

code-scanning/policy-validator-cfn.yaml

@@ -0,0 +1,84 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer
+# To use this workflow, you will need to complete the following set up steps before start using it:
+# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE`
+# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
+# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates.
+# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
+name: Validate AWS IAM policies in CloudFormation templates using Policy Validator
+on:
+  push:
+    branches: [$default-branch, $protected-branches]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [$default-branch]
+env:
+  AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
+  REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
+  TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
+  ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+  REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+  REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+jobs:
+  policy-validator:
+    runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
+    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
+    # https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    name: Policy Validator checks for AWS IAM policies
+    steps:
+      # checkout the repo for workflow to access the contents
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      # Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.REGION }}
+      # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer ValidatePolicy check
+        id: run-aws-validate-policy
+        uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+        with:
+          policy-check-type: "VALIDATE_POLICY"
+          template-path: ${{ env.TEMPLATE_PATH}}
+          region: ${{ env.REGION }}
+      # Print result from VALIDATE_POLICY check
+      - name: Print the result for ValidatePolicy check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
+      # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
+        id: run-aws-check-access-not-granted
+        uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+        with:
+          policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
+          template-path: ${{ env.TEMPLATE_PATH}}
+          actions: ${{ env.ACTIONS }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_ACCESS_NOT_GRANTED check
+      - name: Print the result for CheckAccessNotGranted check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
+      # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+      # reference-policy is stored in GitHub secrets
+      - name: Run AWS AccessAnalyzer CheckNoNewAccess check
+        id: run-aws-check-no-new-access
+        uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+        with:
+          policy-check-type: "CHECK_NO_NEW_ACCESS"
+          template-path: ${{ env.TEMPLATE_PATH}}
+          reference-policy: ${{ env.REFERENCE }}
+          reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
+          region: ${{env.REGION }}
+      # Print result from CHECK_NO_NEW_ACCESS check
+      - name: Print the result for CheckNoNewAccess check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"