From a1fd5140ff4baba6fa53acde22a2f1f89e159f0b Mon Sep 17 00:00:00 2001 From: Matthew Spence Date: Tue, 12 Nov 2024 14:34:29 -0600 Subject: [PATCH 1/4] add monitor to github actions --- .github/workflows/clone-staging.yaml | 1 + .github/workflows/createcachetable.yaml | 1 + .github/workflows/daily-csv-upload.yaml | 1 + .github/workflows/deploy-development.yaml | 2 ++ .github/workflows/deploy-manual.yaml | 2 ++ .github/workflows/deploy-sandbox.yaml | 2 ++ .github/workflows/deploy-stable.yaml | 1 + .github/workflows/deploy-staging.yaml | 1 + .github/workflows/issue-label-notifier.yaml | 1 + .github/workflows/migrate.yaml | 1 + .github/workflows/reset-db.yaml | 1 + .github/workflows/security-check.yaml | 1 + .github/workflows/test.yaml | 4 ++++ 13 files changed, 19 insertions(+) diff --git a/.github/workflows/clone-staging.yaml b/.github/workflows/clone-staging.yaml index 7902463280..ef259c3b6e 100644 --- a/.github/workflows/clone-staging.yaml +++ b/.github/workflows/clone-staging.yaml @@ -19,6 +19,7 @@ jobs: CF_USERNAME: ${{ secrets.CF_MS_USERNAME }} CF_PASSWORD: ${{ secrets.CF_MS_PASSWORD }} steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Clone Database run: | # install cf cli and other tools diff --git a/.github/workflows/createcachetable.yaml b/.github/workflows/createcachetable.yaml index 207ecf70e9..768bf050db 100644 --- a/.github/workflows/createcachetable.yaml +++ b/.github/workflows/createcachetable.yaml @@ -37,6 +37,7 @@ jobs: CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Create cache table for ${{ github.event.inputs.environment }} uses: cloud-gov/cg-cli-tools@main with: diff --git a/.github/workflows/daily-csv-upload.yaml b/.github/workflows/daily-csv-upload.yaml index 9cacfc3bf7..41fb009716 100644 --- a/.github/workflows/daily-csv-upload.yaml +++ b/.github/workflows/daily-csv-upload.yaml @@ -13,6 +13,7 @@ jobs: CF_USERNAME: CF_${{ secrets.CF_REPORT_ENV }}_USERNAME CF_PASSWORD: CF_${{ secrets.CF_REPORT_ENV }}_PASSWORD steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Generate current-federal.csv uses: cloud-gov/cg-cli-tools@main with: diff --git a/.github/workflows/deploy-development.yaml b/.github/workflows/deploy-development.yaml index fa447ed76c..9b4ce00e18 100644 --- a/.github/workflows/deploy-development.yaml +++ b/.github/workflows/deploy-development.yaml @@ -17,6 +17,8 @@ jobs: deploy-development: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 + - uses: actions/checkout@v3 - name: Compile USWDS assets diff --git a/.github/workflows/deploy-manual.yaml b/.github/workflows/deploy-manual.yaml index a85cc75656..7033bc1291 100644 --- a/.github/workflows/deploy-manual.yaml +++ b/.github/workflows/deploy-manual.yaml @@ -44,6 +44,7 @@ jobs: variables: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Setting global variables uses: actions/github-script@v6 id: var @@ -53,6 +54,7 @@ jobs: deploy: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Compile USWDS assets working-directory: ./src diff --git a/.github/workflows/deploy-sandbox.yaml b/.github/workflows/deploy-sandbox.yaml index e9eb066276..52d0d18302 100644 --- a/.github/workflows/deploy-sandbox.yaml +++ b/.github/workflows/deploy-sandbox.yaml @@ -35,6 +35,7 @@ jobs: environment: ${{ steps.var.outputs.environment}} runs-on: "ubuntu-latest" steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Setting global variables uses: actions/github-script@v6 id: var @@ -45,6 +46,7 @@ jobs: runs-on: ubuntu-latest needs: [variables] steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Compile USWDS assets working-directory: ./src diff --git a/.github/workflows/deploy-stable.yaml b/.github/workflows/deploy-stable.yaml index a1b947ca5f..7a2e4a9405 100644 --- a/.github/workflows/deploy-stable.yaml +++ b/.github/workflows/deploy-stable.yaml @@ -18,6 +18,7 @@ jobs: if: ${{ github.ref_type == 'tag' }} runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Compile USWDS assets diff --git a/.github/workflows/deploy-staging.yaml b/.github/workflows/deploy-staging.yaml index 3cf5ad5a1f..81e87b2dff 100644 --- a/.github/workflows/deploy-staging.yaml +++ b/.github/workflows/deploy-staging.yaml @@ -18,6 +18,7 @@ jobs: if: ${{ github.ref_type == 'tag' }} runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Compile USWDS assets diff --git a/.github/workflows/issue-label-notifier.yaml b/.github/workflows/issue-label-notifier.yaml index c4f10d48fc..ee6aaa8445 100644 --- a/.github/workflows/issue-label-notifier.yaml +++ b/.github/workflows/issue-label-notifier.yaml @@ -10,6 +10,7 @@ jobs: notify: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: jenschelkopf/issue-label-notification-action@1.3 with: recipients: | diff --git a/.github/workflows/migrate.yaml b/.github/workflows/migrate.yaml index 1853b3c4f9..e18791cad1 100644 --- a/.github/workflows/migrate.yaml +++ b/.github/workflows/migrate.yaml @@ -45,6 +45,7 @@ jobs: CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Run Django migrations for ${{ github.event.inputs.environment }} uses: cloud-gov/cg-cli-tools@main with: diff --git a/.github/workflows/reset-db.yaml b/.github/workflows/reset-db.yaml index 111555b3c4..8e060beaa8 100644 --- a/.github/workflows/reset-db.yaml +++ b/.github/workflows/reset-db.yaml @@ -45,6 +45,7 @@ jobs: CF_USERNAME: CF_${{ github.event.inputs.environment }}_USERNAME CF_PASSWORD: CF_${{ github.event.inputs.environment }}_PASSWORD steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Delete existing data for ${{ github.event.inputs.environment }} uses: cloud-gov/cg-cli-tools@main with: diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml index aea700613a..2a0623143c 100644 --- a/.github/workflows/security-check.yaml +++ b/.github/workflows/security-check.yaml @@ -38,6 +38,7 @@ jobs: REGISTRY_HOSTNAME: localhost steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Check out uses: actions/checkout@v3 - name: Scan Django settings for security issues diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 642e9dc30c..0ccf94885d 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -21,6 +21,7 @@ jobs: python-linting: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Linting @@ -32,6 +33,7 @@ jobs: python-test: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Unit tests @@ -41,6 +43,7 @@ jobs: django-migrations-complete: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Check for complete migrations @@ -52,6 +55,7 @@ jobs: pa11y-scan: runs-on: ubuntu-20.04 steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Disable Login From d4c3e81fa155fc58f94ae2c04f8c923a64fd6dcf Mon Sep 17 00:00:00 2001 From: Matt-Spence Date: Wed, 13 Nov 2024 11:15:32 -0600 Subject: [PATCH 2/4] Update test.yaml --- .github/workflows/test.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 0ccf94885d..7c7576cae6 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -55,7 +55,6 @@ jobs: pa11y-scan: runs-on: ubuntu-20.04 steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - uses: actions/checkout@v3 - name: Disable Login From 2f65cd83b671b8d0a219b8115451e21642d58e2e Mon Sep 17 00:00:00 2001 From: Matt-Spence Date: Wed, 13 Nov 2024 11:17:43 -0600 Subject: [PATCH 3/4] Update security-check.yaml --- .github/workflows/security-check.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml index 2a0623143c..eda6a4f342 100644 --- a/.github/workflows/security-check.yaml +++ b/.github/workflows/security-check.yaml @@ -38,7 +38,6 @@ jobs: REGISTRY_HOSTNAME: localhost steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Check out uses: actions/checkout@v3 - name: Scan Django settings for security issues @@ -55,6 +54,7 @@ jobs: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Check out uses: actions/checkout@v3 - name: MockUserLogin should not be in settings.MIDDLEWARE @@ -66,6 +66,7 @@ jobs: runs-on: ubuntu-latest steps: + - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Check out uses: actions/checkout@v3 From 5e9d1fa048719b71def9c3f097d567af48410e6c Mon Sep 17 00:00:00 2001 From: Matt-Spence Date: Wed, 13 Nov 2024 11:24:26 -0600 Subject: [PATCH 4/4] Update security-check.yaml --- .github/workflows/security-check.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml index eda6a4f342..ae58b37c65 100644 --- a/.github/workflows/security-check.yaml +++ b/.github/workflows/security-check.yaml @@ -66,7 +66,6 @@ jobs: runs-on: ubuntu-latest steps: - - uses: GitHubSecurityLab/actions-permissions/monitor@v1 - name: Check out uses: actions/checkout@v3