diff --git a/.github/actions/setup-python-poetry/action.yml b/.github/actions/setup-python-poetry/action.yml index cb17c050a2..62d01091d8 100644 --- a/.github/actions/setup-python-poetry/action.yml +++ b/.github/actions/setup-python-poetry/action.yml @@ -35,7 +35,9 @@ runs: shell: bash run: | python -m pip install --upgrade pip - pipx install poetry==${{ inputs.poetry-version }} + pipx install poetry==${INPUTS_POETRY_VERSION} + env: + INPUTS_POETRY_VERSION: ${{ inputs.poetry-version }} - name: Update poetry.lock with latest Prowler commit if: github.repository_owner == 'prowler-cloud' && github.repository != 'prowler-cloud/prowler' diff --git a/.github/actions/slack-notification/action.yml b/.github/actions/slack-notification/action.yml index 1427fed3e0..973779170d 100644 --- a/.github/actions/slack-notification/action.yml +++ b/.github/actions/slack-notification/action.yml @@ -26,16 +26,18 @@ runs: id: status shell: bash run: | - if [[ "${{ inputs.step-outcome }}" == "success" ]]; then + if [[ "${INPUTS_STEP_OUTCOME}" == "success" ]]; then echo "STATUS_TEXT=Completed" >> $GITHUB_ENV echo "STATUS_COLOR=#6aa84f" >> $GITHUB_ENV - elif [[ "${{ inputs.step-outcome }}" == "failure" ]]; then + elif [[ "${INPUTS_STEP_OUTCOME}" == "failure" ]]; then echo "STATUS_TEXT=Failed" >> $GITHUB_ENV echo "STATUS_COLOR=#fc3434" >> $GITHUB_ENV else # No outcome provided - pending/in progress state echo "STATUS_COLOR=#dbab09" >> $GITHUB_ENV fi + env: + INPUTS_STEP_OUTCOME: ${{ inputs.step-outcome }} - name: Send Slack notification (new message) if: inputs.update-ts == '' @@ -67,8 +69,11 @@ runs: id: slack-notification shell: bash run: | - if [[ "${{ inputs.update-ts }}" == "" ]]; then - echo "ts=${{ steps.slack-notification-post.outputs.ts }}" >> $GITHUB_OUTPUT + if [[ "${INPUTS_UPDATE_TS}" == "" ]]; then + echo "ts=${STEPS_SLACK_NOTIFICATION_POST_OUTPUTS_TS}" >> $GITHUB_OUTPUT else - echo "ts=${{ inputs.update-ts }}" >> $GITHUB_OUTPUT + echo "ts=${INPUTS_UPDATE_TS}" >> $GITHUB_OUTPUT fi + env: + INPUTS_UPDATE_TS: ${{ inputs.update-ts }} + STEPS_SLACK_NOTIFICATION_POST_OUTPUTS_TS: ${{ steps.slack-notification-post.outputs.ts }} diff --git a/.github/actions/trivy-scan/action.yml b/.github/actions/trivy-scan/action.yml index 5eca1266b0..5faf8cb118 100644 --- a/.github/actions/trivy-scan/action.yml +++ b/.github/actions/trivy-scan/action.yml @@ -105,11 +105,14 @@ runs: echo "### 🔒 Container Security Scan" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - echo "**Image:** \`${{ inputs.image-name }}:${{ inputs.image-tag }}\`" >> $GITHUB_STEP_SUMMARY + echo "**Image:** \`${INPUTS_IMAGE_NAME}:${INPUTS_IMAGE_TAG}\`" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "- 🔴 Critical: $CRITICAL" >> $GITHUB_STEP_SUMMARY echo "- 🟠 High: $HIGH" >> $GITHUB_STEP_SUMMARY echo "- **Total**: $TOTAL" >> $GITHUB_STEP_SUMMARY + env: + INPUTS_IMAGE_NAME: ${{ inputs.image-name }} + INPUTS_IMAGE_TAG: ${{ inputs.image-tag }} - name: Comment scan results on PR if: inputs.create-pr-comment == 'true' && github.event_name == 'pull_request' @@ -159,6 +162,9 @@ runs: if: inputs.fail-on-critical == 'true' && steps.security-check.outputs.critical != '0' shell: bash run: | - echo "::error::Found ${{ steps.security-check.outputs.critical }} critical vulnerabilities" + echo "::error::Found ${STEPS_SECURITY_CHECK_OUTPUTS_CRITICAL} critical vulnerabilities" echo "::warning::Please update packages or use a different base image" exit 1 + + env: + STEPS_SECURITY_CHECK_OUTPUTS_CRITICAL: ${{ steps.security-check.outputs.critical }} diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f4f12db90b..28eff02ff6 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,6 +15,8 @@ updates: labels: - "dependencies" - "pip" + cooldown: + default-days: 7 # Dependabot Updates are temporary disabled - 2025/03/19 # - package-ecosystem: "pip" @@ -37,6 +39,8 @@ updates: labels: - "dependencies" - "github_actions" + cooldown: + default-days: 7 # Dependabot Updates are temporary disabled - 2025/03/19 # - package-ecosystem: "npm" @@ -59,6 +63,8 @@ updates: labels: - "dependencies" - "docker" + cooldown: + default-days: 7 # Dependabot Updates are temporary disabled - 2025/04/15 # v4.6 diff --git a/.github/workflows/api-bump-version.yml b/.github/workflows/api-bump-version.yml index 97cdd546ff..720defc22d 100644 --- a/.github/workflows/api-bump-version.yml +++ b/.github/workflows/api-bump-version.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Get current API version id: get_api_version @@ -79,12 +81,14 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next API minor version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}" + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}" # API version follows Prowler minor + 1 # For Prowler 5.17.0 -> API 1.18.0 @@ -97,6 +101,10 @@ jobs: echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0" echo "Current API version: $CURRENT_API_VERSION" echo "Next API minor version (for master): $NEXT_API_VERSION" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }} - name: Bump API versions in files for master run: | @@ -132,12 +140,13 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }} + persist-credentials: false - name: Calculate first API patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}" + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}" VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} # API version follows Prowler minor + 1 @@ -151,6 +160,10 @@ jobs: echo "Prowler release version: ${MAJOR_VERSION}.${MINOR_VERSION}.0" echo "First API patch version (for ${VERSION_BRANCH}): $FIRST_API_PATCH_VERSION" echo "Version branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }} - name: Bump API versions in files for version branch run: | @@ -193,13 +206,15 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next API patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }} - CURRENT_API_VERSION="${{ needs.detect-release-type.outputs.current_api_version }}" + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION} + CURRENT_API_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION}" VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} # Extract current API patch to increment it @@ -222,6 +237,11 @@ jobs: echo "::error::Invalid API version format: $CURRENT_API_VERSION" exit 1 fi + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_API_VERSION: ${{ needs.detect-release-type.outputs.current_api_version }} - name: Bump API versions in files for version branch run: | diff --git a/.github/workflows/api-code-quality.yml b/.github/workflows/api-code-quality.yml index c5cc02a298..7f48b95926 100644 --- a/.github/workflows/api-code-quality.yml +++ b/.github/workflows/api-code-quality.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for API changes id: check-changes diff --git a/.github/workflows/api-codeql.yml b/.github/workflows/api-codeql.yml index 45cc911050..cb8c6f05ec 100644 --- a/.github/workflows/api-codeql.yml +++ b/.github/workflows/api-codeql.yml @@ -43,6 +43,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/api-container-build-push.yml b/.github/workflows/api-container-build-push.yml index 17693785f7..e6c84fb124 100644 --- a/.github/workflows/api-container-build-push.yml +++ b/.github/workflows/api-container-build-push.yml @@ -58,6 +58,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Notify container push started id: slack-notification @@ -94,6 +96,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -138,18 +142,22 @@ jobs: run: | docker buildx imagetools create \ -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64 + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64 + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} - name: Create and push manifests for release event if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' run: | docker buildx imagetools create \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \ + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \ -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64 + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64 + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} - name: Install regctl if: always() @@ -159,9 +167,11 @@ jobs: if: always() run: | echo "Cleaning up intermediate tags..." - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true echo "Cleanup completed" + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} notify-release-completed: if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch') @@ -171,15 +181,20 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Determine overall outcome id: outcome run: | - if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then + if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then echo "outcome=success" >> $GITHUB_OUTPUT else echo "outcome=failure" >> $GITHUB_OUTPUT fi + env: + NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }} + NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }} - name: Notify container push completed uses: ./.github/actions/slack-notification diff --git a/.github/workflows/api-container-checks.yml b/.github/workflows/api-container-checks.yml index e1bca8091c..14f0b52752 100644 --- a/.github/workflows/api-container-checks.yml +++ b/.github/workflows/api-container-checks.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check if Dockerfile changed id: dockerfile-changed @@ -64,6 +66,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for API changes id: check-changes diff --git a/.github/workflows/api-security.yml b/.github/workflows/api-security.yml index 04cb0ba7ff..c76180dc53 100644 --- a/.github/workflows/api-security.yml +++ b/.github/workflows/api-security.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for API changes id: check-changes diff --git a/.github/workflows/api-tests.yml b/.github/workflows/api-tests.yml index ec235fd33b..57190b76df 100644 --- a/.github/workflows/api-tests.yml +++ b/.github/workflows/api-tests.yml @@ -74,6 +74,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for API changes id: check-changes diff --git a/.github/workflows/create-backport-label.yml b/.github/workflows/create-backport-label.yml index b4308156c7..32bc3759fd 100644 --- a/.github/workflows/create-backport-label.yml +++ b/.github/workflows/create-backport-label.yml @@ -25,8 +25,9 @@ jobs: - name: Create backport label for minor releases env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }} run: | - RELEASE_TAG="${{ github.event.release.tag_name }}" + RELEASE_TAG="${GITHUB_EVENT_RELEASE_TAG_NAME}" if [ -z "$RELEASE_TAG" ]; then echo "Error: No release tag provided" diff --git a/.github/workflows/docs-bump-version.yml b/.github/workflows/docs-bump-version.yml index dde21b9c1e..899abd0f0e 100644 --- a/.github/workflows/docs-bump-version.yml +++ b/.github/workflows/docs-bump-version.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Get current documentation version id: get_docs_version @@ -79,12 +81,14 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next minor version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}" + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}" NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0 echo "CURRENT_DOCS_VERSION=${CURRENT_DOCS_VERSION}" >> "${GITHUB_ENV}" @@ -93,6 +97,10 @@ jobs: echo "Current documentation version: $CURRENT_DOCS_VERSION" echo "Current release version: $PROWLER_VERSION" echo "Next minor version: $NEXT_MINOR_VERSION" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }} - name: Bump versions in documentation for master run: | @@ -132,12 +140,13 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }} + persist-credentials: false - name: Calculate first patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}" + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}" FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1 VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} @@ -148,6 +157,10 @@ jobs: echo "First patch version: $FIRST_PATCH_VERSION" echo "Version branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }} - name: Bump versions in documentation for version branch run: | @@ -193,13 +206,15 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }} - CURRENT_DOCS_VERSION="${{ needs.detect-release-type.outputs.current_docs_version }}" + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION} + CURRENT_DOCS_VERSION="${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION}" NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1)) VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} @@ -212,6 +227,11 @@ jobs: echo "Current release version: $PROWLER_VERSION" echo "Next patch version: $NEXT_PATCH_VERSION" echo "Target branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_CURRENT_DOCS_VERSION: ${{ needs.detect-release-type.outputs.current_docs_version }} - name: Bump versions in documentation for patch version run: | diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml index c525d8faa4..236765d069 100644 --- a/.github/workflows/find-secrets.yml +++ b/.github/workflows/find-secrets.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 + persist-credentials: false - name: Scan for secrets with TruffleHog uses: trufflesecurity/trufflehog@ef6e76c3c4023279497fab4721ffa071a722fd05 # v3.92.4 diff --git a/.github/workflows/mcp-container-build-push.yml b/.github/workflows/mcp-container-build-push.yml index 130ef90129..fe5f6bf11c 100644 --- a/.github/workflows/mcp-container-build-push.yml +++ b/.github/workflows/mcp-container-build-push.yml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Notify container push started id: slack-notification @@ -92,6 +94,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -144,18 +148,22 @@ jobs: run: | docker buildx imagetools create \ -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64 + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64 + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} - name: Create and push manifests for release event if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' run: | docker buildx imagetools create \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \ + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \ -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64 + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64 + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} - name: Install regctl if: always() @@ -165,9 +173,11 @@ jobs: if: always() run: | echo "Cleaning up intermediate tags..." - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true echo "Cleanup completed" + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} notify-release-completed: if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch') @@ -177,15 +187,20 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Determine overall outcome id: outcome run: | - if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then + if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then echo "outcome=success" >> $GITHUB_OUTPUT else echo "outcome=failure" >> $GITHUB_OUTPUT fi + env: + NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }} + NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }} - name: Notify container push completed uses: ./.github/actions/slack-notification diff --git a/.github/workflows/mcp-container-checks.yml b/.github/workflows/mcp-container-checks.yml index 5ea0b6c465..6ce48978aa 100644 --- a/.github/workflows/mcp-container-checks.yml +++ b/.github/workflows/mcp-container-checks.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check if Dockerfile changed id: dockerfile-changed @@ -63,6 +65,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for MCP changes id: check-changes diff --git a/.github/workflows/mcp-pypi-release.yml b/.github/workflows/mcp-pypi-release.yml index 7a3e5f5daa..0861f55b5a 100644 --- a/.github/workflows/mcp-pypi-release.yml +++ b/.github/workflows/mcp-pypi-release.yml @@ -29,7 +29,7 @@ jobs: - name: Parse and validate version id: parse-version run: | - PROWLER_VERSION="${{ env.RELEASE_TAG }}" + PROWLER_VERSION="${RELEASE_TAG}" echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}" # Extract major version diff --git a/.github/workflows/pr-check-changelog.yml b/.github/workflows/pr-check-changelog.yml index cc22767552..548af24179 100644 --- a/.github/workflows/pr-check-changelog.yml +++ b/.github/workflows/pr-check-changelog.yml @@ -32,6 +32,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 + persist-credentials: false - name: Get changed files id: changed-files @@ -50,11 +51,11 @@ jobs: run: | missing_changelogs="" - if [[ "${{ steps.changed-files.outputs.any_changed }}" == "true" ]]; then + if [[ "${STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED}" == "true" ]]; then # Check monitored folders for folder in $MONITORED_FOLDERS; do # Get files changed in this folder - changed_in_folder=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^${folder}/" || true) + changed_in_folder=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep "^${folder}/" || true) if [ -n "$changed_in_folder" ]; then echo "Detected changes in ${folder}/" @@ -69,11 +70,11 @@ jobs: # Check root-level dependency files (poetry.lock, pyproject.toml) # These are associated with the prowler folder changelog - root_deps_changed=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true) + root_deps_changed=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep -E "^(poetry\.lock|pyproject\.toml)$" || true) if [ -n "$root_deps_changed" ]; then echo "Detected changes in root dependency files: $root_deps_changed" # Check if prowler/CHANGELOG.md was already updated (might have been caught above) - prowler_changelog_updated=$(echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true) + prowler_changelog_updated=$(echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | grep "^prowler/CHANGELOG.md$" || true) if [ -z "$prowler_changelog_updated" ]; then # Only add if prowler wasn't already flagged if ! echo "$missing_changelogs" | grep -q "prowler"; then @@ -89,6 +90,9 @@ jobs: echo -e "${missing_changelogs}" echo "EOF" } >> $GITHUB_OUTPUT + env: + STEPS_CHANGED_FILES_OUTPUTS_ANY_CHANGED: ${{ steps.changed-files.outputs.any_changed }} + STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} - name: Find existing changelog comment if: github.event.pull_request.head.repo.full_name == github.repository diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml index c812f4ef19..fde5107482 100644 --- a/.github/workflows/pr-conflict-checker.yml +++ b/.github/workflows/pr-conflict-checker.yml @@ -29,6 +29,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} fetch-depth: 0 + persist-credentials: false - name: Get changed files id: changed-files @@ -45,7 +46,7 @@ jobs: HAS_CONFLICTS=false # Check each changed file for conflict markers - for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + for file in ${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}; do if [ -f "$file" ]; then echo "Checking file: $file" @@ -70,6 +71,8 @@ jobs: echo "has_conflicts=false" >> $GITHUB_OUTPUT echo "No conflict markers found in changed files" fi + env: + STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} - name: Manage conflict label env: diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml index 61970827f2..eb37d5aa8e 100644 --- a/.github/workflows/pr-merged.yml +++ b/.github/workflows/pr-merged.yml @@ -25,8 +25,10 @@ jobs: - name: Calculate short commit SHA id: vars run: | - SHORT_SHA="${{ github.event.pull_request.merge_commit_sha }}" + SHORT_SHA="${GITHUB_EVENT_PULL_REQUEST_MERGE_COMMIT_SHA}" echo "SHORT_SHA=${SHORT_SHA::7}" >> $GITHUB_ENV + env: + GITHUB_EVENT_PULL_REQUEST_MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }} - name: Trigger Cloud repository pull request uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index 815ade1dec..be2b624baf 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -31,6 +31,7 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }} + persist-credentials: false - name: Set up Python uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 diff --git a/.github/workflows/sdk-bump-version.yml b/.github/workflows/sdk-bump-version.yml index 9f25065689..28f4b47ef5 100644 --- a/.github/workflows/sdk-bump-version.yml +++ b/.github/workflows/sdk-bump-version.yml @@ -68,17 +68,22 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next minor version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0 echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}" echo "Current version: $PROWLER_VERSION" echo "Next minor version: $NEXT_MINOR_VERSION" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} - name: Bump versions in files for master run: | @@ -113,11 +118,12 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }} + persist-credentials: false - name: Calculate first patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1 VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} @@ -127,6 +133,9 @@ jobs: echo "First patch version: $FIRST_PATCH_VERSION" echo "Version branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} - name: Bump versions in files for version branch run: | @@ -168,12 +177,14 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }} + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION} NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1)) VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} @@ -184,6 +195,10 @@ jobs: echo "Current version: $PROWLER_VERSION" echo "Next patch version: $NEXT_PATCH_VERSION" echo "Target branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }} - name: Bump versions in files for version branch run: | diff --git a/.github/workflows/sdk-check-duplicate-test-names.yml b/.github/workflows/sdk-check-duplicate-test-names.yml index 45bd01bc41..1f47c06ea9 100644 --- a/.github/workflows/sdk-check-duplicate-test-names.yml +++ b/.github/workflows/sdk-check-duplicate-test-names.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for duplicate test names across providers run: | diff --git a/.github/workflows/sdk-code-quality.yml b/.github/workflows/sdk-code-quality.yml index 004ca0b7eb..e9cd720cd5 100644 --- a/.github/workflows/sdk-code-quality.yml +++ b/.github/workflows/sdk-code-quality.yml @@ -32,6 +32,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for SDK changes id: check-changes diff --git a/.github/workflows/sdk-codeql.yml b/.github/workflows/sdk-codeql.yml index a45f633567..138e943879 100644 --- a/.github/workflows/sdk-codeql.yml +++ b/.github/workflows/sdk-codeql.yml @@ -50,6 +50,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/sdk-container-build-push.yml b/.github/workflows/sdk-container-build-push.yml index d510ec8568..39ec5aa89c 100644 --- a/.github/workflows/sdk-container-build-push.yml +++ b/.github/workflows/sdk-container-build-push.yml @@ -62,6 +62,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 @@ -116,6 +118,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Notify container push started id: slack-notification @@ -152,6 +156,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -214,24 +220,30 @@ jobs: if: github.event_name == 'push' run: | docker buildx imagetools create \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \ - -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \ - -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64 + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \ + -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \ + -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG} \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64 + env: + NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }} - name: Create and push manifests for release event if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' run: | docker buildx imagetools create \ - -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \ - -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \ - -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.prowler_version }} \ - -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${{ needs.setup.outputs.stable_tag }} \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.prowler_version }} \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.stable_tag }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64 + -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \ + -t ${{ secrets.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \ + -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \ + -t ${{ secrets.PUBLIC_ECR_REPOSITORY }}/${{ env.IMAGE_NAME }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \ + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_PROWLER_VERSION} \ + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_STABLE_TAG} \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64 + env: + NEEDS_SETUP_OUTPUTS_PROWLER_VERSION: ${{ needs.setup.outputs.prowler_version }} + NEEDS_SETUP_OUTPUTS_STABLE_TAG: ${{ needs.setup.outputs.stable_tag }} + NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }} - name: Install regctl if: always() @@ -241,9 +253,11 @@ jobs: if: always() run: | echo "Cleaning up intermediate tags..." - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-amd64" || true - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.latest_tag }}-arm64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-amd64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_LATEST_TAG}-arm64" || true echo "Cleanup completed" + env: + NEEDS_SETUP_OUTPUTS_LATEST_TAG: ${{ needs.setup.outputs.latest_tag }} notify-release-completed: if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch') @@ -253,15 +267,20 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Determine overall outcome id: outcome run: | - if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then + if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then echo "outcome=success" >> $GITHUB_OUTPUT else echo "outcome=failure" >> $GITHUB_OUTPUT fi + env: + NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }} + NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }} - name: Notify container push completed uses: ./.github/actions/slack-notification diff --git a/.github/workflows/sdk-container-checks.yml b/.github/workflows/sdk-container-checks.yml index 7a0323c216..1dbbafe405 100644 --- a/.github/workflows/sdk-container-checks.yml +++ b/.github/workflows/sdk-container-checks.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check if Dockerfile changed id: dockerfile-changed @@ -63,6 +65,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for SDK changes id: check-changes diff --git a/.github/workflows/sdk-pypi-release.yml b/.github/workflows/sdk-pypi-release.yml index 68a986d37a..55ed7351d8 100644 --- a/.github/workflows/sdk-pypi-release.yml +++ b/.github/workflows/sdk-pypi-release.yml @@ -28,7 +28,7 @@ jobs: - name: Parse and validate version id: parse-version run: | - PROWLER_VERSION="${{ env.RELEASE_TAG }}" + PROWLER_VERSION="${RELEASE_TAG}" echo "version=${PROWLER_VERSION}" >> "${GITHUB_OUTPUT}" # Extract major version diff --git a/.github/workflows/sdk-refresh-aws-services-regions.yml b/.github/workflows/sdk-refresh-aws-services-regions.yml index 25839f2631..49cf139138 100644 --- a/.github/workflows/sdk-refresh-aws-services-regions.yml +++ b/.github/workflows/sdk-refresh-aws-services-regions.yml @@ -28,6 +28,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: 'master' + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 @@ -82,9 +83,14 @@ jobs: - name: PR creation result run: | - if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then - echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully" - echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}" + if [[ "${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER}" ]]; then + echo "✓ Pull request #${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER} created successfully" + echo "URL: ${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL}" else echo "✓ No changes detected - AWS regions are up to date" fi + + env: + STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }} + + STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL: ${{ steps.create-pr.outputs.pull-request-url }} diff --git a/.github/workflows/sdk-refresh-oci-regions.yml b/.github/workflows/sdk-refresh-oci-regions.yml index 35cbf37828..5686491cb2 100644 --- a/.github/workflows/sdk-refresh-oci-regions.yml +++ b/.github/workflows/sdk-refresh-oci-regions.yml @@ -26,6 +26,7 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: 'master' + persist-credentials: false - name: Set up Python ${{ env.PYTHON_VERSION }} uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 @@ -85,9 +86,14 @@ jobs: - name: PR creation result run: | - if [[ "${{ steps.create-pr.outputs.pull-request-number }}" ]]; then - echo "✓ Pull request #${{ steps.create-pr.outputs.pull-request-number }} created successfully" - echo "URL: ${{ steps.create-pr.outputs.pull-request-url }}" + if [[ "${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER}" ]]; then + echo "✓ Pull request #${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER} created successfully" + echo "URL: ${STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL}" else echo "✓ No changes detected - OCI regions are up to date" fi + + env: + STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_NUMBER: ${{ steps.create-pr.outputs.pull-request-number }} + + STEPS_CREATE_PR_OUTPUTS_PULL_REQUEST_URL: ${{ steps.create-pr.outputs.pull-request-url }} diff --git a/.github/workflows/sdk-security.yml b/.github/workflows/sdk-security.yml index 01f94d842a..0e38e16849 100644 --- a/.github/workflows/sdk-security.yml +++ b/.github/workflows/sdk-security.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for SDK changes id: check-changes diff --git a/.github/workflows/sdk-tests.yml b/.github/workflows/sdk-tests.yml index 6800b71896..92a18a17fc 100644 --- a/.github/workflows/sdk-tests.yml +++ b/.github/workflows/sdk-tests.yml @@ -32,6 +32,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for SDK changes id: check-changes @@ -119,7 +121,7 @@ jobs: "wafv2": ["cognito", "elbv2"], } - changed_raw = """${{ steps.changed-aws.outputs.all_changed_files }}""" + changed_raw = """${STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES}""" # all_changed_files is space-separated, not newline-separated # Strip leading "./" if present for consistent path handling changed_files = [Path(f.lstrip("./")) for f in changed_raw.split() if f] @@ -174,20 +176,25 @@ jobs: else: print("AWS service test paths: none detected") PY + env: + STEPS_CHANGED_AWS_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-aws.outputs.all_changed_files }} - name: Run AWS tests if: steps.changed-aws.outputs.any_changed == 'true' run: | - echo "AWS run_all=${{ steps.aws-services.outputs.run_all }}" - echo "AWS service_paths='${{ steps.aws-services.outputs.service_paths }}'" + echo "AWS run_all=${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" + echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'" - if [ "${{ steps.aws-services.outputs.run_all }}" = "true" ]; then + if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws - elif [ -z "${{ steps.aws-services.outputs.service_paths }}" ]; then + elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then echo "No AWS service paths detected; skipping AWS tests." else - poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${{ steps.aws-services.outputs.service_paths }} + poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS} fi + env: + STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }} + STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS: ${{ steps.aws-services.outputs.service_paths }} - name: Upload AWS coverage to Codecov if: steps.changed-aws.outputs.any_changed == 'true' diff --git a/.github/workflows/test-impact-analysis.yml b/.github/workflows/test-impact-analysis.yml index 7f750ede2b..b684ec4e09 100644 --- a/.github/workflows/test-impact-analysis.yml +++ b/.github/workflows/test-impact-analysis.yml @@ -49,6 +49,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Get changed files id: changed-files @@ -66,41 +68,47 @@ jobs: id: impact run: | echo "Changed files:" - echo "${{ steps.changed-files.outputs.all_changed_files }}" | tr ' ' '\n' + echo "${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' echo "" - python .github/scripts/test-impact.py ${{ steps.changed-files.outputs.all_changed_files }} + python .github/scripts/test-impact.py ${STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES} + env: + STEPS_CHANGED_FILES_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }} - name: Set convenience flags id: set-flags run: | - if [[ -n "${{ steps.impact.outputs.sdk-tests }}" ]]; then + if [[ -n "${STEPS_IMPACT_OUTPUTS_SDK_TESTS}" ]]; then echo "has-sdk-tests=true" >> $GITHUB_OUTPUT else echo "has-sdk-tests=false" >> $GITHUB_OUTPUT fi - if [[ -n "${{ steps.impact.outputs.api-tests }}" ]]; then + if [[ -n "${STEPS_IMPACT_OUTPUTS_API_TESTS}" ]]; then echo "has-api-tests=true" >> $GITHUB_OUTPUT else echo "has-api-tests=false" >> $GITHUB_OUTPUT fi - if [[ -n "${{ steps.impact.outputs.ui-e2e }}" ]]; then + if [[ -n "${STEPS_IMPACT_OUTPUTS_UI_E2E}" ]]; then echo "has-ui-e2e=true" >> $GITHUB_OUTPUT else echo "has-ui-e2e=false" >> $GITHUB_OUTPUT fi + env: + STEPS_IMPACT_OUTPUTS_SDK_TESTS: ${{ steps.impact.outputs.sdk-tests }} + STEPS_IMPACT_OUTPUTS_API_TESTS: ${{ steps.impact.outputs.api-tests }} + STEPS_IMPACT_OUTPUTS_UI_E2E: ${{ steps.impact.outputs.ui-e2e }} - name: Summary run: | echo "## Test Impact Analysis" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - if [[ "${{ steps.impact.outputs.run-all }}" == "true" ]]; then + if [[ "${STEPS_IMPACT_OUTPUTS_RUN_ALL}" == "true" ]]; then echo "🚨 **Critical path changed - running ALL tests**" >> $GITHUB_STEP_SUMMARY else echo "### Affected Modules" >> $GITHUB_STEP_SUMMARY - echo "\`${{ steps.impact.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY + echo "\`${STEPS_IMPACT_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Tests to Run" >> $GITHUB_STEP_SUMMARY @@ -110,3 +118,8 @@ jobs: echo "| API Tests | \`${{ steps.impact.outputs.api-tests || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY echo "| UI E2E | \`${{ steps.impact.outputs.ui-e2e || 'none' }}\` |" >> $GITHUB_STEP_SUMMARY fi + + env: + STEPS_IMPACT_OUTPUTS_RUN_ALL: ${{ steps.impact.outputs.run-all }} + + STEPS_IMPACT_OUTPUTS_MODULES: ${{ steps.impact.outputs.modules }} diff --git a/.github/workflows/ui-bump-version.yml b/.github/workflows/ui-bump-version.yml index 7c576eed55..f91fb5db9b 100644 --- a/.github/workflows/ui-bump-version.yml +++ b/.github/workflows/ui-bump-version.yml @@ -68,17 +68,22 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next minor version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} NEXT_MINOR_VERSION=${MAJOR_VERSION}.$((MINOR_VERSION + 1)).0 echo "NEXT_MINOR_VERSION=${NEXT_MINOR_VERSION}" >> "${GITHUB_ENV}" echo "Current version: $PROWLER_VERSION" echo "Next minor version: $NEXT_MINOR_VERSION" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} - name: Bump UI version in .env for master run: | @@ -115,11 +120,12 @@ jobs: uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: ref: v${{ needs.detect-release-type.outputs.major_version }}.${{ needs.detect-release-type.outputs.minor_version }} + persist-credentials: false - name: Calculate first patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} FIRST_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.1 VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} @@ -129,6 +135,9 @@ jobs: echo "First patch version: $FIRST_PATCH_VERSION" echo "Version branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} - name: Bump UI version in .env for version branch run: | @@ -172,12 +181,14 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Calculate next patch version run: | - MAJOR_VERSION=${{ needs.detect-release-type.outputs.major_version }} - MINOR_VERSION=${{ needs.detect-release-type.outputs.minor_version }} - PATCH_VERSION=${{ needs.detect-release-type.outputs.patch_version }} + MAJOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION} + MINOR_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION} + PATCH_VERSION=${NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION} NEXT_PATCH_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.$((PATCH_VERSION + 1)) VERSION_BRANCH=v${MAJOR_VERSION}.${MINOR_VERSION} @@ -188,6 +199,10 @@ jobs: echo "Current version: $PROWLER_VERSION" echo "Next patch version: $NEXT_PATCH_VERSION" echo "Target branch: $VERSION_BRANCH" + env: + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MAJOR_VERSION: ${{ needs.detect-release-type.outputs.major_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_MINOR_VERSION: ${{ needs.detect-release-type.outputs.minor_version }} + NEEDS_DETECT_RELEASE_TYPE_OUTPUTS_PATCH_VERSION: ${{ needs.detect-release-type.outputs.patch_version }} - name: Bump UI version in .env for version branch run: | diff --git a/.github/workflows/ui-codeql.yml b/.github/workflows/ui-codeql.yml index 581e798189..fafa430baf 100644 --- a/.github/workflows/ui-codeql.yml +++ b/.github/workflows/ui-codeql.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Initialize CodeQL uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/ui-container-build-push.yml b/.github/workflows/ui-container-build-push.yml index 6f8c232185..8cb803ca7e 100644 --- a/.github/workflows/ui-container-build-push.yml +++ b/.github/workflows/ui-container-build-push.yml @@ -60,6 +60,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Notify container push started id: slack-notification @@ -96,6 +98,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Login to DockerHub uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 @@ -143,18 +147,22 @@ jobs: run: | docker buildx imagetools create \ -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }} \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64 + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA} \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64 + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} - name: Create and push manifests for release event if: github.event_name == 'release' || github.event_name == 'workflow_dispatch' run: | docker buildx imagetools create \ - -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }} \ + -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${RELEASE_TAG} \ -t ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.STABLE_TAG }} \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64 \ - ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64 + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64 \ + ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64 + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} - name: Install regctl if: always() @@ -164,9 +172,11 @@ jobs: if: always() run: | echo "Cleaning up intermediate tags..." - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-amd64" || true - regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ needs.setup.outputs.short-sha }}-arm64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-amd64" || true + regctl tag delete "${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${NEEDS_SETUP_OUTPUTS_SHORT_SHA}-arm64" || true echo "Cleanup completed" + env: + NEEDS_SETUP_OUTPUTS_SHORT_SHA: ${{ needs.setup.outputs.short-sha }} notify-release-completed: if: always() && needs.notify-release-started.result == 'success' && (github.event_name == 'release' || github.event_name == 'workflow_dispatch') @@ -176,15 +186,20 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Determine overall outcome id: outcome run: | - if [[ "${{ needs.container-build-push.result }}" == "success" && "${{ needs.create-manifest.result }}" == "success" ]]; then + if [[ "${NEEDS_CONTAINER_BUILD_PUSH_RESULT}" == "success" && "${NEEDS_CREATE_MANIFEST_RESULT}" == "success" ]]; then echo "outcome=success" >> $GITHUB_OUTPUT else echo "outcome=failure" >> $GITHUB_OUTPUT fi + env: + NEEDS_CONTAINER_BUILD_PUSH_RESULT: ${{ needs.container-build-push.result }} + NEEDS_CREATE_MANIFEST_RESULT: ${{ needs.create-manifest.result }} - name: Notify container push completed uses: ./.github/actions/slack-notification diff --git a/.github/workflows/ui-container-checks.yml b/.github/workflows/ui-container-checks.yml index 4c027f1cb2..67134a6e4a 100644 --- a/.github/workflows/ui-container-checks.yml +++ b/.github/workflows/ui-container-checks.yml @@ -29,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check if Dockerfile changed id: dockerfile-changed @@ -64,6 +66,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for UI changes id: check-changes diff --git a/.github/workflows/ui-e2e-tests-v2.yml b/.github/workflows/ui-e2e-tests-v2.yml index 9936737320..7736887c69 100644 --- a/.github/workflows/ui-e2e-tests-v2.yml +++ b/.github/workflows/ui-e2e-tests-v2.yml @@ -76,17 +76,21 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Show test scope run: | echo "## E2E Test Scope" >> $GITHUB_STEP_SUMMARY - if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then + if [[ "${RUN_ALL_TESTS}" == "true" ]]; then echo "Running **ALL** E2E tests (critical path changed)" >> $GITHUB_STEP_SUMMARY else - echo "Running tests matching: \`${{ env.E2E_TEST_PATHS }}\`" >> $GITHUB_STEP_SUMMARY + echo "Running tests matching: \`${E2E_TEST_PATHS}\`" >> $GITHUB_STEP_SUMMARY fi echo "" - echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY + echo "Affected modules: \`${NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY + env: + NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES: ${{ needs.impact-analysis.outputs.modules }} - name: Create k8s Kind Cluster uses: helm/kind-action@v1 @@ -195,14 +199,14 @@ jobs: - name: Run E2E tests working-directory: ./ui run: | - if [[ "${{ env.RUN_ALL_TESTS }}" == "true" ]]; then + if [[ "${RUN_ALL_TESTS}" == "true" ]]; then echo "Running ALL E2E tests..." pnpm run test:e2e else - echo "Running targeted E2E tests: ${{ env.E2E_TEST_PATHS }}" + echo "Running targeted E2E tests: ${E2E_TEST_PATHS}" # Convert glob patterns to playwright test paths # e.g., "ui/tests/providers/**" -> "tests/providers" - TEST_PATHS="${{ env.E2E_TEST_PATHS }}" + TEST_PATHS="${E2E_TEST_PATHS}" # Remove ui/ prefix and convert ** to empty (playwright handles recursion) TEST_PATHS=$(echo "$TEST_PATHS" | sed 's|ui/||g' | sed 's|\*\*||g' | tr ' ' '\n' | sort -u) # Drop auth setup helpers (not runnable test suites) @@ -244,6 +248,8 @@ jobs: echo "" >> $GITHUB_STEP_SUMMARY echo "No UI E2E tests needed for this change." >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY - echo "Affected modules: \`${{ needs.impact-analysis.outputs.modules }}\`" >> $GITHUB_STEP_SUMMARY + echo "Affected modules: \`${NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES}\`" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "To run all tests, modify a file in a critical path (e.g., \`ui/lib/**\`)." >> $GITHUB_STEP_SUMMARY + env: + NEEDS_IMPACT_ANALYSIS_OUTPUTS_MODULES: ${{ needs.impact-analysis.outputs.modules }} diff --git a/.github/workflows/ui-tests.yml b/.github/workflows/ui-tests.yml index cc1a318277..9076f38d9f 100644 --- a/.github/workflows/ui-tests.yml +++ b/.github/workflows/ui-tests.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: false - name: Check for UI changes id: check-changes @@ -122,10 +124,12 @@ jobs: if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files != '' run: | echo "Running tests related to changed files:" - echo "${{ steps.changed-source.outputs.all_changed_files }}" + echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}" # Convert space-separated to vitest related format (remove ui/ prefix for relative paths) - CHANGED_FILES=$(echo "${{ steps.changed-source.outputs.all_changed_files }}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ') + CHANGED_FILES=$(echo "${STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES}" | tr ' ' '\n' | sed 's|^ui/||' | tr '\n' ' ') pnpm exec vitest related $CHANGED_FILES --run + env: + STEPS_CHANGED_SOURCE_OUTPUTS_ALL_CHANGED_FILES: ${{ steps.changed-source.outputs.all_changed_files }} - name: Run unit tests (test files only changed) if: steps.check-changes.outputs.any_changed == 'true' && steps.critical-changes.outputs.any_changed != 'true' && steps.changed-source.outputs.all_changed_files == '' diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md index 48b755a193..6d1184fd39 100644 --- a/prowler/CHANGELOG.md +++ b/prowler/CHANGELOG.md @@ -68,6 +68,7 @@ All notable changes to the **Prowler SDK** are documented in this file. ### 🔐 Security - Bumped `py-ocsf-models` to 0.8.1 and `cryptography` to 44.0.3 [(#10059)](https://github.com/prowler-cloud/prowler/pull/10059) +- Harden GitHub Actions workflows against expression injection, add `persist-credentials: false` to checkout steps, and configure dependabot cooldown [(#10200)](https://github.com/prowler-cloud/prowler/pull/10200) ---