chore(deps): update docker/login-action digest to 7ca3450 #465

Workflow file for this run

.github/workflows/super-devsecops.yml at 4eeb9e2

	name: Super DevSecOps Pipeline

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["main"]

	permissions:
	contents: read

	jobs:
	code_quality:
	name: Eslint
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit
	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Run ESLint
	run: \|
	yarn install
	npx eslint .
	continue-on-error: true
	build:
	name: Build
	runs-on: ubuntu-latest
	needs: code_quality
	strategy:
	matrix:
	node-version: [16.x, 18.x, 20.x]
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit
	- name: Checkout Repository to Runner Context
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Use Node version ${{ matrix.node-version }}
	uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
	with:
	node-version: ${{ matrix.node-version }}
	cache: "yarn"
	- name: Install Dependencies
	run: \|
	yarn install
	test:
	name: Unit Tests
	runs-on: ubuntu-latest
	needs: build
	strategy:
	matrix:
	node-version: [16.x, 18.x, 20.x]
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit

	- name: Checkout Repository to Runner Context
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Use Node version ${{ matrix.node-version }}
	uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
	with:
	node-version: ${{ matrix.node-version }}
	cache: "yarn"
	- name: Test with Jest
	run: \|
	yarn install
	yarn test
	sast_codeql:
	name: SAST with CodeQL
	runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') \|\| 'ubuntu-latest' }}
	timeout-minutes: ${{ (matrix.language == 'swift' && 120) \|\| 360 }}
	needs: test
	permissions:
	actions: read
	contents: read
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	language: ["javascript-typescript"]
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit
	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

	- name: Initialize CodeQL
	uses: github/codeql-action/init@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
	with:
	languages: ${{ matrix.language }}
	- name: Autobuild
	uses: github/codeql-action/autobuild@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
	with:
	category: "/language:${{matrix.language}}"
	sast_sonar:
	name: SAST with SonarCloud
	permissions:
	pull-requests: read # allows SonarCloud to decorate PRs with analysis results
	runs-on: ubuntu-latest
	needs: test
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit
	- name: Analyze with SonarCloud
	uses: SonarSource/sonarcloud-github-action@44eed6088a971ec48af9300c3701483b8815f622
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
	with:
	args: -Dsonar.projectKey=stormsinbrewing_savvy-devsecops
	-Dsonar.organization=stormsinbrewing
	security_scorecard:
	name: OpenSSF Security Scorecards
	runs-on: ubuntu-latest
	permissions:
	# Don't make global permission: https://github.com/ossf/scorecard-action#workflow-restrictions
	security-events: write # Needed to upload the results to code-scanning dashboard.
	id-token: write # Needed to publish results and get a badge (see publish_results below).
	needs: test
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit
	- name: "Checkout code"
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	persist-credentials: false
	- name: "Run analysis"
	uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
	with:
	results_file: results.sarif
	results_format: sarif
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	publish_results: true
	- name: "Upload artifact"
	uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5
	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@e5f05b81d5b6ff8cfa111c80c22c5fd02a384118 # v3.23.0
	with:
	sarif_file: results.sarif
	build-and-push-image:
	name: BnP GHCR
	permissions:
	contents: write
	packages: write
	runs-on: ubuntu-latest
	needs: sast_codeql
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
	with:
	egress-policy: audit
	- name: Checkout repository
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Log in to the Container registry
	uses: docker/login-action@06895751d15a223ec091bea144ad5c7f50d228d0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: BnP Docker Image
	run: \|
	docker build -t ghcr.io/stormsinbrewing/savvy-devsecops .
	docker push ghcr.io/stormsinbrewing/savvy-devsecops

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update docker/login-action digest to 7ca3450 #465

Workflow file

chore(deps): update docker/login-action digest to 7ca3450 #465

Jobs

Run details

Workflow file for this run