From fe0d89315d843f561868982aaa90b8fdd9ee8199 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 26 Feb 2024 11:27:05 -0800 Subject: [PATCH 1/2] Bump super-linter/super-linter from 5.7.2 to 6.2.0 in /.github/workflows (#197) * Bump super-linter/super-linter from 5.7.2 to 6.2.0 in /.github/workflows Bumps [super-linter/super-linter](https://github.com/super-linter/super-linter) from 5.7.2 to 6.2.0. - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/v5.7.2...v6.2.0) --- updated-dependencies: - dependency-name: super-linter/super-linter dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * Update lint.yaml * Update lint.yaml * disable lint checks and fix shell exec * add shfmt pre-commit hook * update install list and run shfmt --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Tyler Titsworth --- .github/utils/val-args.sh | 14 +++++++------- .github/workflows/lint.yaml | 7 +++++-- .pre-commit-config.yaml | 4 ++++ CONTRIBUTING.md | 2 +- classical-ml/tests/sklearn.sh | 1 - 5 files changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/utils/val-args.sh b/.github/utils/val-args.sh index fc86e548..9ea88fb8 100755 --- a/.github/utils/val-args.sh +++ b/.github/utils/val-args.sh @@ -7,11 +7,11 @@ input_string="$1" # Use regex to find the line that contains '/test-group' and capture it if [[ $input_string =~ /test-group(.*) ]]; then - matched_line="${BASH_REMATCH[1]}" + matched_line="${BASH_REMATCH[1]}" else - # If the pattern is not found, exit - echo "Error: The input string does not contain a line with '/test-group'." - exit 1 + # If the pattern is not found, exit + echo "Error: The input string does not contain a line with '/test-group'." + exit 1 fi # Use regex to extract key-value pairs with the cases: @@ -21,10 +21,10 @@ key_val_pairs=$(echo "$matched_line" | grep -oP "$regex" | sed 's/: /=/g') # Check if there is at least one key-value pair if [[ -z "$key_val_pairs" ]]; then - echo "Error: The matched line does not contain any valid key-value pairs." - exit 1 + echo "Error: The matched line does not contain any valid key-value pairs." + exit 1 fi # Print the key-value pairs echo "$key_val_pairs" -echo "$key_val_pairs" >> "$GITHUB_OUTPUT" +echo "$key_val_pairs" >>"$GITHUB_OUTPUT" diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index b64cc190..fabf8691 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -18,13 +18,16 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Super-linter - uses: super-linter/super-linter/slim@v5.7.2 + uses: super-linter/super-linter/slim@v6.2.0 env: - DEFAULT_BRANCH: main # To report GitHub Actions status checks GITHUB_TOKEN: ${{ secrets.ACTION_TOKEN }} GITHUB_ACTIONS_COMMAND_ARGS: '-ignore SC.*' + VALIDATE_BASH_EXEC: false + VALIDATE_CHECKOV: false VALIDATE_KUBERNETES_KUBECONFORM: false VALIDATE_NATURAL_LANGUAGE: false VALIDATE_PYTHON_FLAKE8: false diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 23b80d91..949b3d8f 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -27,6 +27,10 @@ repos: rev: v0.9.0 hooks: - id: shellcheck + - repo: https://github.com/cisagov/pre-commit-shfmt + rev: v0.0.2 + hooks: + - id: shfmt - repo: https://github.com/ambv/black rev: 23.12.1 hooks: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 7b722175..c8c8bf1c 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -16,7 +16,7 @@ This project follows the [Contributor Covenant Code of Conduct](CODE_OF_CONDUCT. 2. Create a new branch for your contribution: `git checkout -b feature/your-feature`. 3. Install [pre-commit](https://pre-commit.com/), [Docker](https://docs.docker.com/engine/install/), and [Python 3.8+](https://www.python.org/downloads/). 4. Follow the [Project Setup](README.md#project-setup) steps. -5. Install the third-party python dependencies necessary for pre-commit with `pip install pytest pylint black`. +5. Install the third-party python dependencies necessary for pre-commit with `pip install pytest pylint black shfmt-py`. 6. Make your changes, commit, and sign your changes: `git commit -s -m 'Add your feature'`. 7. Push to the branch: `git push origin feature/your-feature`. 8. Submit a pull request. diff --git a/classical-ml/tests/sklearn.sh b/classical-ml/tests/sklearn.sh index 213cb322..d9a1cbfd 100644 --- a/classical-ml/tests/sklearn.sh +++ b/classical-ml/tests/sklearn.sh @@ -26,7 +26,6 @@ # For reference: # https://docs.docker.com/develop/develop-images/build_enhancements/ - wget https://raw.githubusercontent.com/intel/ai-containers/main/preset/classical-ml/tests/scikit/kmeans.py python kmeans.py true From aaa992bcb0491c16423aa388545a74177bef8c17 Mon Sep 17 00:00:00 2001 From: Tyler Titsworth Date: Mon, 26 Feb 2024 11:32:05 -0800 Subject: [PATCH 2/2] Add OSSF Action (#198) * add ossf-action * Update ossf.yaml * update runner * add extra perms * scan develop * scan at 11:21 * satisfy bkm --- .github/workflows/ossf.yaml | 72 +++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/ossf.yaml diff --git a/.github/workflows/ossf.yaml b/.github/workflows/ossf.yaml new file mode 100644 index 00000000..4f8d6a05 --- /dev/null +++ b/.github/workflows/ossf.yaml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '29 17 * * 4' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: k8-runners + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + repo_token: ${{ secrets.ACTION_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif