diff --git a/.github/labeler.yml b/.github/labeler.yml new file mode 100644 index 000000000..280429aeb --- /dev/null +++ b/.github/labeler.yml @@ -0,0 +1,15 @@ +program: +- 'programs/**' +client: +- 'ts/client/**' +liquidator: +- 'liquidator/**' +keeper: +- 'keeper/**' +ci: +- '.github/workflows/**' +dependency: +- '*.lock' +documentation: +- '*.md' +- '**/LICENCE' diff --git a/.github/workflows/ci-code-review-rust.yml b/.github/workflows/ci-code-review-rust.yml index a87505697..c33e17e6a 100644 --- a/.github/workflows/ci-code-review-rust.yml +++ b/.github/workflows/ci-code-review-rust.yml @@ -7,7 +7,8 @@ on: 'keeper/**', 'lib/**', 'liquidator/**', - 'anchor/cli/**'] + 'anchor/cli/**', + 'Cargo.lock'] pull_request: branches: ['main', 'dev'] paths: ['cli/**', @@ -16,7 +17,8 @@ on: 'keeper/**', 'lib/**', 'liquidator/**', - 'anchor/cli/**'] + 'anchor/cli/**', + 'Cargo.lock'] workflow_dispatch: # Pick branch manually env: @@ -101,12 +103,48 @@ jobs: with: name: raw-test-bpf path: raw-test-bpf.log + + sca: + name: Dependency Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + # Report all vulnerabilities in security tab + - name: Report on all vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'Cargo.lock' + ignore-unfixed: true + hide-progress: true + format: 'sarif' + output: 'trivy-results.sarif' + + # Fail the job on critical vulnerabiliies with fix available + - name: Fail on critical vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'Cargo.lock' + ignore-unfixed: true + hide-progress: true + format: 'table' + severity: 'CRITICAL' + exit-code: '1' + + - name: Upload output + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' + # Download logs and process them process-logs: name: Process logs runs-on: ubuntu-latest - needs: [format, clippy, test] + needs: ['test'] steps: - name: Download raw log uses: actions/download-artifact@v3 diff --git a/.github/workflows/ci-code-review-ts.yml b/.github/workflows/ci-code-review-ts.yml index 9e5cb78ff..c7d620ad0 100644 --- a/.github/workflows/ci-code-review-ts.yml +++ b/.github/workflows/ci-code-review-ts.yml @@ -3,9 +3,9 @@ name: Code Review - TypeScript on: pull_request: branches: ['main', 'dev'] - paths: ['ts/**'] + paths: ['ts/**', 'yarn.lock'] push: - paths: ['ts/**'] + paths: ['ts/**', 'yarn.lock'] jobs: format: @@ -46,8 +46,8 @@ jobs: - name: Lint run: yarn lint - unit-test: - name: Unit Test + test: + name: Test runs-on: ubuntu-latest steps: - name: Checkout code @@ -65,7 +65,7 @@ jobs: - name: Run Test run: yarn test - semgrep: + sast: name: Security Scan runs-on: ubuntu-latest container: @@ -85,3 +85,60 @@ jobs: if: always() with: sarif_file: semgrep-results.sarif + + sca: + name: Dependency Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + + # Report all vulnerabilities in security tab + - name: Report on all vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'yarn.lock' + ignore-unfixed: true + hide-progress: true + format: 'sarif' + output: 'trivy-results.sarif' + + # Fail the job on critical vulnerabiliies with fix available + - name: Fail on critical vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: 'yarn.lock' + ignore-unfixed: true + hide-progress: true + format: 'table' + severity: 'CRITICAL' + exit-code: '1' + + - name: Upload output + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' + + yarn-pass: + name: Yarn tests pass + needs: ['format', 'lint', 'test'] + runs-on: ubuntu-latest + steps: + - run: echo ok + + security-pass: + name: Security tests pass + needs: ['sca', 'sast'] + runs-on: ubuntu-latest + steps: + - run: echo ok + + all-pass: + name: All tests pass 🚀 + needs: ['yarn-pass', 'security-pass'] + runs-on: ubuntu-latest + steps: + - run: echo ok diff --git a/.github/workflows/ci-dependency-scan-cargo.yml b/.github/workflows/ci-dependency-scan-cargo.yml deleted file mode 100644 index bd7348e65..000000000 --- a/.github/workflows/ci-dependency-scan-cargo.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Dependency Security Scan - Cargo - -on: - pull_request: - branches: ['main', 'dev'] - paths: ['cli/**', - 'client/**', - 'programs/**', - 'keeper/**', - 'lib/**', - 'liquidator/**', - 'anchor/cli/**', - 'Cargo.lock'] - push: - paths: ['cli/**', - 'client/**', - 'programs/**', - 'keeper/**', - 'lib/**', - 'liquidator/**', - 'anchor/cli/**', - 'Cargo.lock'] - -jobs: - trivy: - name: Dependency Scan - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - # Report all vulnerabilities in security tab - - name: Report on all vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: 'Cargo.lock' - ignore-unfixed: true - hide-progress: true - format: 'sarif' - output: 'trivy-results.sarif' - - # Fail the job on critical vulnerabiliies with fix available - - name: Fail on critical vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: 'Cargo.lock' - ignore-unfixed: true - hide-progress: true - format: 'table' - severity: 'CRITICAL' - exit-code: '1' - - - name: Upload output - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/ci-dependency-scan-yarn.yml b/.github/workflows/ci-dependency-scan-yarn.yml deleted file mode 100644 index 00af7615c..000000000 --- a/.github/workflows/ci-dependency-scan-yarn.yml +++ /dev/null @@ -1,45 +0,0 @@ -name: Dependency Security Scan - Yarn - -on: - pull_request: - branches: ['main', 'dev'] - paths: ['ts/**', 'yarn.lock'] - push: - paths: ['ts/**', 'yarn.lock'] - -jobs: - trivy: - name: Dependency Scan - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v3 - - # Report all vulnerabilities in security tab - - name: Report on all vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: 'yarn.lock' - ignore-unfixed: true - hide-progress: true - format: 'sarif' - output: 'trivy-results.sarif' - - # Fail the job on critical vulnerabiliies with fix available - - name: Fail on critical vulnerabilities - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: 'yarn.lock' - ignore-unfixed: true - hide-progress: true - format: 'table' - severity: 'CRITICAL' - exit-code: '1' - - - name: Upload output - uses: github/codeql-action/upload-sarif@v2 - if: always() - with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/ci-labels.yml b/.github/workflows/ci-labels.yml new file mode 100644 index 000000000..1644ea332 --- /dev/null +++ b/.github/workflows/ci-labels.yml @@ -0,0 +1,17 @@ +name: PR Labels +on: + pull_request: + types: [opened, synchronize] + branches: [dev] + +jobs: + label: + name: Add PR labels + permissions: + contents: read + pull-requests: write + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v4 + with: + repo-token: "${{ secrets.GITHUB_TOKEN }}"