From 25a6e79544b23ef7bad57c2715059fc9f58b34f6 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Thu, 28 Nov 2024 08:19:56 +0000 Subject: [PATCH] add to ZAP rules --- .github/workflows/.zap-rules-web.tsv | 9 ++--- .github/workflows/push.yaml | 2 +- .github/workflows/release-windows.yaml | 49 ++++++++++++++++++++++++++ .github/workflows/release.yaml | 7 ++-- 4 files changed, 59 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/release-windows.yaml diff --git a/.github/workflows/.zap-rules-web.tsv b/.github/workflows/.zap-rules-web.tsv index 248188b52..6f6ba7332 100644 --- a/.github/workflows/.zap-rules-web.tsv +++ b/.github/workflows/.zap-rules-web.tsv @@ -1,12 +1,13 @@ -10110 OUTOFSCOPE .*vendor.*\.js -10110 OUTOFSCOPE .*graph-test.*\.js +10062 OUTOFSCOPE .*_bom\..* +10094 OUTOFSCOPE .*_bom\..* 10099 OUTOFSCOPE .*vendor.*\.js 10099 OUTOFSCOPE .*diagram-edit.*\.js 10099 OUTOFSCOPE .*app.*\.js +10110 OUTOFSCOPE .*vendor.*\.js +10110 OUTOFSCOPE .*graph-test.*\.js 10110 OUTOFSCOPE .*diagram-edit.*\.js -10062 OUTOFSCOPE .*_bom\..* -10094 OUTOFSCOPE .*_bom\..* 10110 OUTOFSCOPE .*jquery\.min\.js +10003 IGNORE Javascript libraries handled by dependabot 10055 IGNORE CSP: script-src unsafe-eval 10063 IGNORE Permissions Policy Header Not Set 40039 IGNORE Web Cache Deception diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml index aed1bdc5f..8029f2038 100644 --- a/.github/workflows/push.yaml +++ b/.github/workflows/push.yaml @@ -415,7 +415,7 @@ jobs: -e ENCRYPTION_KEYS='${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}' \ -e NODE_ENV='development' \ -e SERVER_API_PROTOCOL='http' \ - ${{ env.IMAGE_NAME }} + ${{ env.IMAGE_NAME }}-arm64 - name: Checkout uses: actions/checkout@v4.2.0 diff --git a/.github/workflows/release-windows.yaml b/.github/workflows/release-windows.yaml new file mode 100644 index 000000000..a2eb5553d --- /dev/null +++ b/.github/workflows/release-windows.yaml @@ -0,0 +1,49 @@ +name: Windows release + +on: + workflow_dispatch: + +# for security reasons the github actions are pinned to specific release versions +jobs: + + desktop_windows: + name: Windows installer + runs-on: windows-latest + defaults: + run: + working-directory: td.vue + + steps: + - name: Check out + uses: actions/checkout@v4.2.0 + + - name: Use node LTS 20.14.0 + uses: actions/setup-node@v4.1.0 + with: + node-version: '20.14.0' + + - name: Cache NPM dir + uses: actions/cache@v4.1.1 + with: + path: ~/.npm + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- + ${{ runner.os }}- + + - name: Install clean packages + run: npm clean-install + + - name: Build Windows executable + # code signing done later using Extended Verification (EV) with a hardware key + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: npm run build:desktop -- --windows --publish always + + - name: Save SBOM artifact + uses: actions/upload-artifact@v4.4.0 + with: + name: sboms-desktop-windows-site + path: './td.vue/dist-desktop/bundled/.sbom/*' + include-hidden-files: true + if-no-files-found: error diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5668fcbc3..b3332128e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -4,8 +4,7 @@ name: Release pipeline on: push: tags: - - v2.?.? - - v2.?.?-RC? + - v2.?.* workflow_dispatch: env: @@ -159,7 +158,9 @@ jobs: - name: Build Windows executable # code signing done later using Extended Verification (EV) with a hardware key - run: npm run build:desktop -- --windows --publish never + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: npm run build:desktop -- --windows --publish always - name: Save SBOM artifact uses: actions/upload-artifact@v4.4.0