diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..e346f3da38 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,14 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options: +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + target-branch: "develop" + schedule: + interval: "weekly" + cooldown: + default-days: 4 diff --git a/.github/workflows/issue_to_jira.yml b/.github/workflows/issue_to_jira.yml index 148142b65b..024a1c3416 100644 --- a/.github/workflows/issue_to_jira.yml +++ b/.github/workflows/issue_to_jira.yml @@ -4,14 +4,15 @@ on: issues: types: [opened] -permissions: - contents: read - issues: write +permissions: {} jobs: call-workflow-create-jira-issue: if: startsWith(github.repository, 'MiraGeoscience/') # run on the Mira repo only - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@v2 + permissions: + contents: read + issues: write with: project-key: 'GEOPY' components: '[{"name": "simpeg"}]' diff --git a/.github/workflows/pr_add_jira_summary.yml b/.github/workflows/pr_add_jira_summary.yml index 210bba945a..db5cb2f0c5 100644 --- a/.github/workflows/pr_add_jira_summary.yml +++ b/.github/workflows/pr_add_jira_summary.yml @@ -4,14 +4,15 @@ on: pull_request_target: # zizmor: ignore[dangerous-triggers] types: [opened] -permissions: - contents: read - pull-requests: write +permissions: {} jobs: call-workflow-add-jira-issue-summary: if: startsWith(github.repository, 'MiraGeoscience/') # run if PR targets the Mira repo only - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@v2 + permissions: + contents: read + pull-requests: write secrets: JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }} JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }} diff --git a/.github/workflows/python_deploy_dev.yml b/.github/workflows/python_deploy_dev.yml index afddb544e0..d42d67f424 100644 --- a/.github/workflows/python_deploy_dev.yml +++ b/.github/workflows/python_deploy_dev.yml @@ -5,6 +5,8 @@ on: tags: - 'v*' # Push events to every version tag (eg. v1.0.0) +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref || github.run_id }} cancel-in-progress: true @@ -12,10 +14,9 @@ concurrency: jobs: call-workflow-conda-publish: name: Publish development conda package on JFrog Artifactory - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@v2 permissions: - contents: write # to create draft release and attach artifacts - actions: read + contents: write with: package-name: 'mira-simpeg' python-version: '3.10' @@ -28,10 +29,9 @@ jobs: JFROG_ARTIFACTORY_TOKEN: ${{ secrets.JFROG_ARTIFACTORY_TOKEN }} call-workflow-pypi-publish: name: Publish development pypi package (JFrog Artifactory, TestPyPI) - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@v2 permissions: - contents: write # to create draft release and attach artifacts - actions: read + contents: write with: package-manager: 'setuptools' package-name: 'mira-simpeg' diff --git a/.github/workflows/python_deploy_prod.yml b/.github/workflows/python_deploy_prod.yml index ea8201f46f..407e3ef03c 100644 --- a/.github/workflows/python_deploy_prod.yml +++ b/.github/workflows/python_deploy_prod.yml @@ -19,6 +19,8 @@ on: type: boolean default: true +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.release-tag || github.run_id }} cancel-in-progress: true @@ -27,10 +29,9 @@ jobs: call-workflow-conda-release: name: Publish production Conda package on JFrog Artifactory if: ${{ github.event_name == 'release' || github.event.inputs.publish-conda == 'true' }} - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@v2 permissions: - contents: write # seems required to find the draft release - actions: read + contents: write with: virtual-repo-names: '["public-noremote-conda-prod"]' release-tag: ${{ github.event.release.tag_name || github.event.inputs.release-tag }} @@ -40,10 +41,9 @@ jobs: call-workflow-pypi-release: name: Publish production PyPI package (JFrog Artifactory, PyPI) if: ${{ github.event_name == 'release' || github.event.inputs.publish-pypi == 'true' }} - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@main + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@v2 permissions: - contents: write # seems required to find the draft release - actions: read + contents: write with: package-name: 'mira-simpeg' virtual-repo-names: '["public-pypi-prod", "pypi"]' diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml new file mode 100644 index 0000000000..3a1b2861d8 --- /dev/null +++ b/.github/workflows/security_scan.yml @@ -0,0 +1,45 @@ +name: Security Scan + +on: + pull_request: + types: [opened, synchronize, reopened, ready_for_review] + branches: + - develop + - main + - release/** + - feature/** + - hotfix/** + push: + branches: + - develop + - main + - release/** + - feature/** + - hotfix/** + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + call-workflow-zizmor-annotate: + name: Zizmor analysis (advanced security) + # run on the Mira repo only (upstream SimPEG repo has its own workflow for Zizmor) + if: ${{ github.event_name != 'pull_request' && startsWith(github.repository, 'MiraGeoscience/') }} + permissions: + security-events: write + contents: read + actions: read + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-advanced-security.yml@v2 + + call-workflow-zizmor-advanced-security: + name: Zizmor analysis (annotate) + # run on the Mira repo only (upstream SimPEG repo has its own workflow for Zizmor) + if: ${{ github.event_name == 'pull_request' && startsWith(github.repository, 'MiraGeoscience/') }} + permissions: + checks: write + contents: read + actions: read + uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-annotate.yml@v2 diff --git a/.github/workflows/zizmor-security-mira.yml b/.github/workflows/zizmor-security-mira.yml deleted file mode 100644 index 5f44473b27..0000000000 --- a/.github/workflows/zizmor-security-mira.yml +++ /dev/null @@ -1,28 +0,0 @@ -name: Zizmor analysis - -on: - pull_request: - types: [opened, synchronize, reopened, ready_for_review] - branches: - - develop - - main - - release/** - - feature/** - - hotfix/** - push: - branches: - - main - - develop - - feature/** - - hotfix/** - - release/** - -jobs: - call-workflow-zizmor: - name: Zizmor analysis - # run on the Mira repo only (upstream SimPEG repo has its own workflow for Zizmor) - if: startsWith(github.repository, 'MiraGeoscience/') - permissions: - contents: read - actions: read - uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-security.yml@main diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000000..01c57e8228 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1 @@ +rules: