mirror of
https://github.com/1technophile/OpenMQTTGateway.git
synced 2026-03-23 07:26:59 +01:00
98481c5145
* Refactor GitHub Actions workflows for build, documentation, and linting - Consolidated build logic into reusable workflows (`task-build.yml` and `task-docs.yml`) to reduce duplication across multiple workflows. - Introduced `environments.json` to centralize the list of PlatformIO build environments, improving maintainability and clarity. - Updated `build.yml` and `build_and_docs_to_dev.yml` to utilize the new reusable workflows and environment definitions. - Enhanced `release.yml` to streamline the release process and integrate documentation generation. - Created reusable linting workflow (`task-lint.yml`) to standardize code formatting checks across the repository. - Simplified manual documentation workflow by leveraging the new reusable documentation workflow. - Improved artifact management and retention policies across workflows. - Updated dependencies and versions in workflows to ensure compatibility and performance. CI/CD pipeline agnostic of Workflow Engine and integrated on github actions - Implemented ci.sh for orchestrating the complete build pipeline. - Created ci_00_config.sh for centralized configuration of build scripts. - Created ci_build_firmware.sh for building firmware for specified PlatformIO environments. - Created ci_prepare_artifacts.sh for preparing firmware artifacts for upload or deployment. - Created ci_set_version.sh for updating version tags in firmware configuration files. - Created ci_build.sh to orchestrate the complete build pipeline. - Created ci_qa.sh for code linting and formatting checks using clang-format. - Created ci_site.sh for building and deploying VuePress documentation with version management. - Implemented checks for required tools and dependencies in the new scripts. - Improved internal scripts for better error handling and logging. UPDATE the web installer manifest generation and update documentation structure - Enhanced ci_list-env.sh to list environments from a JSON file. - Replaced common_wu.py and gen_wu.py scripts with new npm scripts for site generation and previewing on docsgen/gen_wu.js - Replaced generate_board_docs.py with docsgen/generated_board_docs.js - Added new npm scripts for integration of site generation on build phase. - Created preview_site.js to serve locally generated site over HTTPS with improved error handling. - Added new CI environments for CI builds in environments.json. - Deleted lint.yml as part of workflow cleanup. - Enhanced task-build.yml to include linting as a job and added support for specifying PlatformIO version. - Improved task-docs.yml to handle versioning more effectively and added clean option. Enhance documentation - ADD CLEAR Mark of development version of site - Updated README.md to include detailed workflow dependencies and relationships using mermaid diagrams. - Improved development.md with a quick checklist for contributors and clarified the code style guide. - Enhanced quick_start.md with tips for contributors and streamlined the workflow explanation. LINT FIX - Refined User_config.h for better formatting consistency. - Adjusted blufi.cpp and gatewayBT.cpp for improved code readability and consistency in formatting. - Updated gatewaySERIAL.cpp and mqttDiscovery.cpp to enhance logging error messages. - Improved sensorDS1820.cpp for better logging of device information. Add security scan workflows for vulnerability detection Add SBOM generation and upload to release workflow; update security scan summary handling Add shellcheck suppor + FIX shellcheck warning Enhance documentation for CI/CD scripts and workflows, adding details for security scanning and SBOM generation processes Fix formatting and alignment in BLE connection handling Reviewed the full web board presentation and the ESP32 web upload. The project uses a modern pattern where data is divided from the presentation layer. - Removed the `generate_board_docs` script. - Updated the `gen_wu` script in order to generate `boards-info.json`: the fail that containe all information about the configuration - Created and isolate the file `boards-info.js` to streamline the parsing of PlatformIO dependencies, modules, environments and improve the handling of library information. - Introduced vuepress component `BoardEnvironmentTable.vue` that render `boards-info.json` as UI card component - Introduced vuepress component `FlashEnvironmentSelector.vue` that render a selectred environment from `boards-info.json` and provide esp-web-upload feature on it - Introduced a new board page `board-selector.md` for improved firmware selection. - Updated `web-install.md` to enhance the firmware upload process, including a new board environment table. - Enhanced custom descriptions in `environments.ini` to include HTML links for better user guidance and board image link Add CC1101 initialization improvements and logging enhancements Add installation step for PlatformIO dependencies in documentation workflow Remove ci_set_version.sh script and associated versioning functionality * Fix comment provisined Fix PlatformIO version input reference in documentation workflow Remove outdated Squeezelite-ESP32 installer documentation
125 lines
4.3 KiB
YAML
125 lines
4.3 KiB
YAML
name: Reusable Security Scan Workflow
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
scan-type:
|
|
description: 'Type of scan: fs (filesystem), config, or image'
|
|
required: false
|
|
type: string
|
|
default: 'fs'
|
|
severity:
|
|
description: 'Severity levels to report (comma-separated: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)'
|
|
required: false
|
|
type: string
|
|
default: 'HIGH,CRITICAL'
|
|
exit-code:
|
|
description: 'Exit code when vulnerabilities found (0=continue, 1=fail)'
|
|
required: false
|
|
type: string
|
|
default: '0'
|
|
upload-to-security-tab:
|
|
description: 'Upload SARIF to GitHub Security tab (GitHub-specific feature)'
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
scan-path:
|
|
description: 'Path to scan (default: entire repository)'
|
|
required: false
|
|
type: string
|
|
default: '.'
|
|
generate-sbom:
|
|
description: 'Generate Software Bill of Materials (SBOM) in CycloneDX and SPDX formats'
|
|
required: false
|
|
type: boolean
|
|
default: true
|
|
|
|
jobs:
|
|
security-scan:
|
|
runs-on: ubuntu-latest
|
|
name: Security vulnerability scan
|
|
permissions:
|
|
contents: read
|
|
security-events: write # Required only for GitHub Security tab upload
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
set -euo pipefail
|
|
curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key \
|
|
| gpg --dearmor \
|
|
| sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
|
|
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" \
|
|
| sudo tee /etc/apt/sources.list.d/trivy.list > /dev/null
|
|
sudo apt-get update
|
|
sudo apt-get install -y trivy
|
|
|
|
- name: Run Security Scan using ci_security.sh
|
|
run: |
|
|
set -euo pipefail
|
|
sbom_flag=""
|
|
if [[ "${{ inputs.generate-sbom }}" == "true" ]]; then
|
|
sbom_flag="--generate-sbom"
|
|
fi
|
|
|
|
./scripts/ci_security.sh \
|
|
--scan-type "${{ inputs.scan-type }}" \
|
|
--scan-path "${{ inputs.scan-path }}" \
|
|
--severity "${{ inputs.severity }}" \
|
|
--exit-code "${{ inputs.exit-code }}" \
|
|
${sbom_flag}
|
|
|
|
# GitHub-specific: Upload to Security tab
|
|
- name: Upload SARIF to GitHub Security tab
|
|
if: inputs.upload-to-security-tab == true && always()
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
with:
|
|
sarif_file: './generated/reports/trivy-results.sarif'
|
|
category: 'trivy-security-scan'
|
|
|
|
# Agnostic: Upload all reports as artifacts (works on any CI)
|
|
- name: Upload security reports as artifacts
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: security-scan-reports
|
|
path: |
|
|
./generated/reports/trivy-results.sarif
|
|
./generated/reports/trivy-report.json
|
|
./generated/reports/trivy-report.txt
|
|
./generated/reports/security-summary.md
|
|
./generated/reports/trivy-scan.log
|
|
retention-days: 90
|
|
|
|
# Display summary in workflow output
|
|
- name: Display Security Summary
|
|
if: always()
|
|
run: |
|
|
cat ./generated/reports/security-summary.md >> $GITHUB_STEP_SUMMARY 2>/dev/null || echo "Summary not available"
|
|
|
|
#
|
|
- name: Upload SBOM reports
|
|
uses: actions/upload-artifact@v4
|
|
if: always()
|
|
with:
|
|
name: sbom-reports
|
|
path: |
|
|
./generated/reports/sbom/
|
|
retention-days: 90
|
|
|
|
# Optional: Fail the build if critical vulnerabilities found
|
|
- name: Check for critical vulnerabilities
|
|
if: inputs.exit-code == '1'
|
|
run: |
|
|
if [ -f ./generated/reports/trivy-results.sarif ]; then
|
|
CRITICAL=$(jq '[.runs[].results[] | select(.level == "error")] | length' ./generated/reports/trivy-results.sarif 2>/dev/null || echo "0")
|
|
if [ "$CRITICAL" -gt 0 ]; then
|
|
echo "❌ Found ${CRITICAL} critical vulnerabilities!"
|
|
echo "Review the security reports in artifacts."
|
|
exit 1
|
|
fi
|
|
fi
|