From 4138ec4e961e1dc37ace0592d026e925955c36b2 Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Tue, 19 Sep 2023 23:44:18 -0500 Subject: [PATCH 1/7] test: Migrate CI to GitHub --- .github/actions/setup/action.yml | 32 +++++++++++++++ .github/dependabot.yml | 9 +++-- .github/workflows/codeql.yml | 53 +++++++++++++++++++++++++ .github/workflows/matrix.json | 7 ++++ .github/workflows/publish.yml | 41 +++++++++++++++++++ .github/workflows/semgrep.yml | 45 +++++++++++++++------ .github/workflows/snyk.yml | 47 ++++++++++++++++++++++ .github/workflows/test.yml | 67 ++++++++++++++++++++++++++++++++ 8 files changed, 286 insertions(+), 15 deletions(-) create mode 100644 .github/actions/setup/action.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/matrix.json create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/snyk.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml new file mode 100644 index 00000000..5c457157 --- /dev/null +++ b/.github/actions/setup/action.yml @@ -0,0 +1,32 @@ +name: Build package +description: Build the SDK package + +inputs: + ruby: + description: The Ruby version to use + required: false + default: 3.2 + bundle-path: + description: The path to the bundle cache + required: false + default: vendor/bundle + bundler-cache: + description: Whether to use the bundler cache + required: false + default: true + +runs: + using: composite + + steps: + - name: Configure Ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: ${{ inputs.ruby }} + bundler-cache: ${{ inputs.bundle-cache }} + + - name: Install dependencies + run: bundle check || bundle install + shell: bash + env: + BUNDLE_PATH: ${{ inputs.bundle-path }} diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 32f056f4..f2df3e4c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,10 +1,13 @@ version: 2 updates: - - - package-ecosystem: "bundler" - directory: "/" + - package-ecosystem: "bundler" + directory: "/" schedule: interval: "daily" ignore: - dependency-name: "*" update-types: ["version-update:semver-major"] + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'daily' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..be639066 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,53 @@ +name: CodeQL + +on: + merge_group: + pull_request: + types: + - opened + - synchronize + push: + branches: + - master + schedule: + - cron: "37 10 * * 2" + +permissions: + actions: read + contents: read + security-events: write + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + analyze: + name: Check for Vulnerabilities + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + language: [ruby] + + steps: + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - name: Checkout + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/matrix.json b/.github/workflows/matrix.json new file mode 100644 index 00000000..2e4e771c --- /dev/null +++ b/.github/workflows/matrix.json @@ -0,0 +1,7 @@ +{ + "include": [ + { "ruby": "3.0" }, + { "ruby": "3.1" }, + { "ruby": "3.2" } + ] +} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..10ff092a --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,41 @@ +name: Publish Release + +on: + workflow_dispatch: + inputs: + branch: + description: The branch to release from. + required: true + default: master + +permissions: + contents: read + +jobs: + publish: + name: Publish to NPM + runs-on: ubuntu-latest + environment: release + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + ref: ${{ github.event.inputs.branch }} + + - name: Configure Ruby + uses: ./.github/actions/setup + with: + ruby: 3.2 + + - name: Publish to RubyGems + run: | + mkdir -p $HOME/.gem + touch $HOME/.gem/credentials + chmod 0600 $HOME/.gem/credentials + printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials + gem build *.gemspec + gem push *.gem + env: + GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}" diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 326471a6..fc7d2eeb 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,28 +1,49 @@ name: Semgrep on: - pull_request: {} - + merge_group: + pull_request_target: + types: + - opened + - synchronize push: branches: - master - - main - schedule: - - cron: '0 * * * *' + - cron: '30 0 1,15 * *' + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} jobs: - semgrep: - name: Scan + authorize: + name: Authorize + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} runs-on: ubuntu-latest + steps: + - run: true + + run: + needs: authorize # Require approval before running on forked pull requests + + name: Check for Vulnerabilities + runs-on: ubuntu-latest + container: image: returntocorp/semgrep - if: (github.repository_owner == 'auth0') - + steps: - - uses: actions/checkout@v3 + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} - - if: github.event.pull_request.draft == false && github.actor != 'dependabot[bot]' - run: semgrep ci + - run: semgrep ci env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 00000000..4b27ea3d --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,47 @@ +name: Snyk + +on: + merge_group: + workflow_dispatch: + pull_request_target: + types: + - opened + - synchronize + push: + branches: + - master + schedule: + - cron: '30 0 1,15 * *' + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +jobs: + authorize: + name: Authorize + environment: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository && 'external' || 'internal' }} + runs-on: ubuntu-latest + steps: + - run: true + + check: + needs: authorize + + name: Check for Vulnerabilities + runs-on: ubuntu-latest + + steps: + - if: github.actor == 'dependabot[bot]' || github.event_name == 'merge_group' + run: exit 0 # Skip unnecessary test runs for dependabot and merge queues. Artifically flag as successful, as this is a required check for branch protection. + + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} + + - uses: snyk/actions/php@b98d498629f1c368650224d6d212bf7dfa89e4bf # pin@0.4.0 + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 00000000..d007c25e --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,67 @@ +name: Build and Test + +on: + merge_group: + workflow_dispatch: + pull_request: + branches: + - master + push: + branches: + - master + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} + +env: + CACHE_KEY: "${{ github.ref }}-${{ github.run_id }}-${{ github.run_attempt }}" + +jobs: + configure: + name: Configure Build Matrix + runs-on: ubuntu-latest + + outputs: + matrix: ${{ steps.set-matrix.outputs.matrix }} + + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha || github.ref }} + + - id: set-matrix + run: echo "matrix=$(jq -c . < ./.github/workflows/matrix.json)" >> $GITHUB_OUTPUT + + unit: + needs: configure + + name: Run Unit Tests + runs-on: ubuntu-latest + + strategy: + matrix: ${{ fromJson(needs.configure.outputs.matrix) }} + + env: + DOMAIN: example.auth0.dev + CLIENT_ID: example-client + CLIENT_SECRET: example-secret + MASTER_JWT: example-jwt + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Configure Ruby + uses: ./.github/actions/setup + with: + ruby: ${{ matrix.ruby }} + + - name: Run tests + run: bundle exec rake test + + - name: Upload coverage + uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4 From 16c3723c84c4437f6cd015660ecf30c6f728b5a3 Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Tue, 19 Sep 2023 23:47:43 -0500 Subject: [PATCH 2/7] Update BUNDLE_PATH --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d007c25e..b84a649f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -50,6 +50,7 @@ jobs: CLIENT_ID: example-client CLIENT_SECRET: example-secret MASTER_JWT: example-jwt + BUNDLE_PATH: vendor/bundle steps: - name: Checkout code From 2ddd16e6e466004ed42aed61268a157970405ecd Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Tue, 19 Sep 2023 23:56:40 -0500 Subject: [PATCH 3/7] Only upload coverage from one Ruby build process --- .github/workflows/test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index b84a649f..69a45f79 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -65,4 +65,5 @@ jobs: run: bundle exec rake test - name: Upload coverage + if: matrix.ruby == '3.2' uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # pin@3.1.4 From ec4a120734634a420ce9e99fbc51ab97aa1c9823 Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Mon, 25 Sep 2023 00:02:19 -0500 Subject: [PATCH 4/7] Remove gem-release dependency --- .gemrelease | 2 -- Gemfile.lock | 2 -- auth0.gemspec | 1 - 3 files changed, 5 deletions(-) delete mode 100644 .gemrelease diff --git a/.gemrelease b/.gemrelease deleted file mode 100644 index 2815300d..00000000 --- a/.gemrelease +++ /dev/null @@ -1,2 +0,0 @@ -bump: - tag: true \ No newline at end of file diff --git a/Gemfile.lock b/Gemfile.lock index 39dfa009..4e4d0dc6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -61,7 +61,6 @@ GEM fuubar (2.5.1) rspec-core (~> 3.0) ruby-progressbar (~> 1.4) - gem-release (0.7.4) guard (2.18.0) formatador (>= 0.2.4) listen (>= 2.7, < 4.0) @@ -242,7 +241,6 @@ DEPENDENCIES dotenv-rails (~> 2.0) faker (~> 2.0) fuubar (~> 2.0) - gem-release (~> 0.7) guard-rspec (~> 4.5) irb pp diff --git a/auth0.gemspec b/auth0.gemspec index d1f1e6ab..ec7afa51 100644 --- a/auth0.gemspec +++ b/auth0.gemspec @@ -32,6 +32,5 @@ Gem::Specification.new do |s| s.add_development_dependency 'rack', '~> 2.1' s.add_development_dependency 'simplecov', '~> 0.9' s.add_development_dependency 'faker', '~> 2.0' - s.add_development_dependency 'gem-release', '~> 0.7' s.license = 'MIT' end From 92434effcd1b211e143ff59c1d394065e018c4e6 Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Mon, 25 Sep 2023 00:06:57 -0500 Subject: [PATCH 5/7] Fix `env` reference --- .github/workflows/publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 10ff092a..8a8d51f0 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -34,8 +34,8 @@ jobs: mkdir -p $HOME/.gem touch $HOME/.gem/credentials chmod 0600 $HOME/.gem/credentials - printf -- "---\n:rubygems_api_key: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials + printf -- "---\n:rubygems_api_key: $RUBYGEMS_AUTH_TOKEN\n" > $HOME/.gem/credentials gem build *.gemspec gem push *.gem env: - GEM_HOST_API_KEY: "${{secrets.RUBYGEMS_AUTH_TOKEN}}" + RUBYGEMS_AUTH_TOKEN: ${{secrets.RUBYGEMS_AUTH_TOKEN}} From bb5574508d781e4472452bf1ce7f7556617abd9a Mon Sep 17 00:00:00 2001 From: Evan Sims Date: Mon, 25 Sep 2023 00:20:56 -0500 Subject: [PATCH 6/7] Update publish.yml --- .github/workflows/publish.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 8a8d51f0..2636dd9a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -31,11 +31,7 @@ jobs: - name: Publish to RubyGems run: | - mkdir -p $HOME/.gem - touch $HOME/.gem/credentials - chmod 0600 $HOME/.gem/credentials - printf -- "---\n:rubygems_api_key: $RUBYGEMS_AUTH_TOKEN\n" > $HOME/.gem/credentials gem build *.gemspec gem push *.gem env: - RUBYGEMS_AUTH_TOKEN: ${{secrets.RUBYGEMS_AUTH_TOKEN}} + GEM_HOST_API_KEY: ${{secrets.RUBYGEMS_AUTH_TOKEN}} From 96b1d087cc30c4ef03ecec744908ef4c338530c3 Mon Sep 17 00:00:00 2001 From: Steve Hobbs Date: Tue, 26 Sep 2023 14:38:14 +0100 Subject: [PATCH 7/7] Rename publish action --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2636dd9a..da2a4ceb 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,7 +13,7 @@ permissions: jobs: publish: - name: Publish to NPM + name: Publish to RubyGems runs-on: ubuntu-latest environment: release