diff --git a/.github/actions/install-trivy/action.yml b/.github/actions/install-trivy/action.yml new file mode 100644 index 00000000..284b8d21 --- /dev/null +++ b/.github/actions/install-trivy/action.yml @@ -0,0 +1,18 @@ +name: 'Install Trivy' +description: 'Install Trivy via the official apt repository. Replaces the duplicated inline install block used across multiple workflows.' +author: 'GrammaTonic' + +runs: + using: 'composite' + steps: + - name: Install Trivy via apt + shell: bash + run: | + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key \ + | gpg --dearmor \ + | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" \ + | sudo tee /etc/apt/sources.list.d/trivy.list + sudo apt-get update -qq + sudo apt-get install -y trivy + trivy --version diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml index b486cdc1..19327a24 100644 --- a/.github/workflows/ci-cd.yml +++ b/.github/workflows/ci-cd.yml @@ -11,6 +11,13 @@ name: CI/CD Pipeline on: push: branches: [main, develop] + paths: + - "docker/**" + - "scripts/**" + - "config/**" + - "monitoring/**" + - ".github/workflows/**" + - "tests/**" pull_request: branches: [main, develop] paths: @@ -60,8 +67,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: @@ -168,8 +173,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: @@ -274,8 +277,6 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v6 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: @@ -303,18 +304,18 @@ jobs: echo "Setting up Chrome-Go runner configuration..." # Copy the example config file cp config/chrome-go-runner.env.example config/chrome-go-runner.env - + # Update the config file with actual values sed -i.bak "s|GITHUB_TOKEN=ghp_your_personal_access_token_here|GITHUB_TOKEN=$GITHUB_TOKEN|" config/chrome-go-runner.env sed -i.bak "s|GITHUB_REPOSITORY=your-username/your-repo-name|GITHUB_REPOSITORY=$GITHUB_REPOSITORY|" config/chrome-go-runner.env - + echo "Provisioning Chrome-Go runner container in staging..." echo "Using configuration from config/chrome-go-runner.env" echo "Injecting GITHUB_TOKEN from secrets.REG_TOKEN" - + # Use --env-file to load configuration docker compose --env-file config/chrome-go-runner.env -f docker/docker-compose.chrome-go.yml up -d - + echo "Checking if Chrome-Go runner container is running..." RUNNING=$(docker ps --filter "name=github-runner-chrome-go" --filter "status=running" -q) if [ -z "$RUNNING" ]; then @@ -410,7 +411,7 @@ jobs: recursive: true failure-threshold: warning - name: Lint Shell Scripts with ShellCheck - uses: ludeeus/action-shellcheck@master + uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # master 2024-06-20 with: scandir: './scripts' severity: warning @@ -452,11 +453,8 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 0 - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy vulnerability scanner on filesystem uses: aquasecurity/trivy-action@0.34.1 with: @@ -473,9 +471,9 @@ jobs: continue-on-error: true with: sarif_file: "trivy-results.sarif" - category: "security-scan" + category: "cicd-filesystem-scan" - name: Check for secrets in repository - uses: trufflesecurity/trufflehog@main + uses: trufflesecurity/trufflehog@v3.88.1 with: path: ./ base: ${{ github.event.before }} @@ -502,10 +500,21 @@ jobs: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Compute build platforms + id: platforms + run: | + # Build multi-arch (arm64) only on main; develop/feature branches use amd64-only for speed + if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then + echo "platforms=linux/amd64,linux/arm64" >> $GITHUB_OUTPUT + else + echo "platforms=linux/amd64" >> $GITHUB_OUTPUT + fi - name: Set up QEMU for multi-platform builds uses: docker/setup-qemu-action@v3 + if: steps.platforms.outputs.platforms != 'linux/amd64' with: - platforms: linux/amd64,linux/arm64 + platforms: ${{ steps.platforms.outputs.platforms }} + image: tonistiigi/binfmt:qemu-v10.2.1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Extract normal runner metadata @@ -539,7 +548,7 @@ jobs: # Provide the default cache sources (multi-line) via GITHUB_ENV # Use cross-branch cache to leverage builds from feature branches and other branches printf "CACHE_FROM=type=gha\\ntype=gha,scope=normal-runner\\ntype=gha,scope=buildcache\\n" >> $GITHUB_ENV - printf "CACHE_TO=type=gha,mode=max,scope=normal-runner\\ntype=gha,mode=max,scope=buildcache\\n" >> $GITHUB_ENV + printf "CACHE_TO=type=gha,mode=max,scope=normal-runner\\n" >> $GITHUB_ENV # Also emit as step outputs so other action inputs can reference them (multi-line) echo "cache_from<> $GITHUB_OUTPUT echo "type=gha" >> $GITHUB_OUTPUT @@ -548,7 +557,6 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT echo "cache_to<> $GITHUB_OUTPUT echo "type=gha,mode=max,scope=normal-runner" >> $GITHUB_OUTPUT - echo "type=gha,mode=max,scope=buildcache" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT fi - name: Build and push normal runner Docker image @@ -556,7 +564,7 @@ jobs: uses: docker/build-push-action@v6 with: context: ./docker - platforms: linux/amd64,linux/arm64 + platforms: ${{ steps.platforms.outputs.platforms }} file: ./docker/Dockerfile push: true load: false @@ -576,17 +584,13 @@ jobs: echo "Normal runner image pushed to registry: $PRIMARY_TAG" echo "$PRIMARY_TAG" > build-normal-image-tag.txt echo "${{ steps.build.outputs.digest }}" > build-normal-image-digest.txt - - name: Upload normal runner build image tag as artifact + - name: Upload normal runner build artifacts uses: actions/upload-artifact@v6 with: - name: build-normal-image-tag - path: build-normal-image-tag.txt - retention-days: 30 - - name: Upload normal runner build image digest as artifact - uses: actions/upload-artifact@v6 - with: - name: build-normal-image-digest - path: build-normal-image-digest.txt + name: build-normal-image-artifacts + path: | + build-normal-image-tag.txt + build-normal-image-digest.txt retention-days: 30 build-chrome: name: Build Chrome Runner Image @@ -609,10 +613,6 @@ jobs: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up QEMU for multi-platform builds - uses: docker/setup-qemu-action@v3 - with: - platforms: linux/amd64,linux/arm64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Extract Chrome runner metadata @@ -646,7 +646,7 @@ jobs: # Provide the default cache sources (multi-line) via GITHUB_ENV # Use cross-branch cache to leverage builds from feature branches and other branches printf "CACHE_FROM=type=gha\\ntype=gha,scope=chrome-runner\\ntype=gha,scope=buildcache\\n" >> $GITHUB_ENV - printf "CACHE_TO=type=gha,mode=max,scope=chrome-runner\\ntype=gha,mode=max,scope=buildcache\\n" >> $GITHUB_ENV + printf "CACHE_TO=type=gha,mode=max,scope=chrome-runner\\n" >> $GITHUB_ENV # Also emit as step outputs so other action inputs can reference them (multi-line) echo "cache_from<> $GITHUB_OUTPUT echo "type=gha" >> $GITHUB_OUTPUT @@ -655,7 +655,6 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT echo "cache_to<> $GITHUB_OUTPUT echo "type=gha,mode=max,scope=chrome-runner" >> $GITHUB_OUTPUT - echo "type=gha,mode=max,scope=buildcache" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT fi - name: Build and push Chrome runner image @@ -683,17 +682,13 @@ jobs: echo "Chrome runner image pushed to registry: $PRIMARY_TAG" echo "$PRIMARY_TAG" > build-chrome-image-tag.txt echo "${{ steps.build-chrome.outputs.digest }}" > build-chrome-image-digest.txt - - name: Upload Chrome build image tag as artifact + - name: Upload Chrome build artifacts uses: actions/upload-artifact@v6 with: - name: build-chrome-image-tag - path: build-chrome-image-tag.txt - retention-days: 30 - - name: Upload Chrome build image digest as artifact - uses: actions/upload-artifact@v6 - with: - name: build-chrome-image-digest - path: build-chrome-image-digest.txt + name: build-chrome-image-artifacts + path: | + build-chrome-image-tag.txt + build-chrome-image-digest.txt retention-days: 30 build-chrome-go: name: Build Chrome-Go Runner Image @@ -716,10 +711,6 @@ jobs: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Set up QEMU for multi-platform builds - uses: docker/setup-qemu-action@v3 - with: - platforms: linux/amd64,linux/arm64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Extract Chrome-Go runner metadata @@ -753,7 +744,7 @@ jobs: # Provide the default cache sources (multi-line) via GITHUB_ENV # Use cross-branch cache to leverage builds from feature branches and other branches printf "CACHE_FROM=type=gha\\ntype=gha,scope=chrome-go-runner\\ntype=gha,scope=buildcache\\n" >> $GITHUB_ENV - printf "CACHE_TO=type=gha,mode=max,scope=chrome-go-runner\\ntype=gha,mode=max,scope=buildcache\\n" >> $GITHUB_ENV + printf "CACHE_TO=type=gha,mode=max,scope=chrome-go-runner\\n" >> $GITHUB_ENV # Also emit as step outputs so other action inputs can reference them (multi-line) echo "cache_from<> $GITHUB_OUTPUT echo "type=gha" >> $GITHUB_OUTPUT @@ -762,7 +753,6 @@ jobs: echo "EOF" >> $GITHUB_OUTPUT echo "cache_to<> $GITHUB_OUTPUT echo "type=gha,mode=max,scope=chrome-go-runner" >> $GITHUB_OUTPUT - echo "type=gha,mode=max,scope=buildcache" >> $GITHUB_OUTPUT echo "EOF" >> $GITHUB_OUTPUT fi - name: Build and push Chrome-Go runner image @@ -790,17 +780,13 @@ jobs: echo "Chrome-Go runner image pushed to registry: $PRIMARY_TAG" echo "$PRIMARY_TAG" > build-chrome-go-image-tag.txt echo "${{ steps.build-chrome-go.outputs.digest }}" > build-chrome-go-image-digest.txt - - name: Upload Chrome-Go build image tag as artifact - uses: actions/upload-artifact@v6 - with: - name: build-chrome-go-image-tag - path: build-chrome-go-image-tag.txt - retention-days: 30 - - name: Upload Chrome-Go build image digest as artifact + - name: Upload Chrome-Go build artifacts uses: actions/upload-artifact@v6 with: - name: build-chrome-go-image-digest - path: build-chrome-go-image-digest.txt + name: build-chrome-go-image-artifacts + path: | + build-chrome-go-image-tag.txt + build-chrome-go-image-digest.txt retention-days: 30 # Comprehensive Testing Suite test-package-validation: @@ -889,7 +875,7 @@ jobs: echo "✅ Docker Compose validation passed for $compose_file" else echo "❌ Docker Compose validation failed for $compose_file" - echo "Error details:" + echo "Error details:" cat "test-results/integration/compose-$compose_name.log" | head -20 integration_errors=$((integration_errors + 1)) fi @@ -1133,11 +1119,8 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 1 - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy vulnerability scanner on container uses: aquasecurity/trivy-action@0.34.1 with: @@ -1153,7 +1136,7 @@ jobs: continue-on-error: true with: sarif_file: "trivy-container-results.sarif" - category: "container-scan" + category: "cicd-container-scan" security-chrome-scan: name: Chrome Container Security Scan runs-on: ubuntu-latest @@ -1166,11 +1149,8 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 1 - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy vulnerability scanner on Chrome container uses: aquasecurity/trivy-action@0.34.1 with: @@ -1186,7 +1166,7 @@ jobs: continue-on-error: true with: sarif_file: "trivy-chrome-results.sarif" - category: "chrome-container-scan" + category: "cicd-chrome-container-scan" security-chrome-go-scan: name: Chrome-Go Container Security Scan runs-on: ubuntu-latest @@ -1199,11 +1179,8 @@ jobs: uses: actions/checkout@v6 with: fetch-depth: 1 - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy vulnerability scanner on Chrome-Go container uses: aquasecurity/trivy-action@0.34.1 with: @@ -1219,7 +1196,7 @@ jobs: continue-on-error: true with: sarif_file: "trivy-chrome-go-results.sarif" - category: "chrome-go-container-scan" + category: "cicd-chrome-go-container-scan" cleanup: name: Cleanup Resources runs-on: ubuntu-latest diff --git a/.github/workflows/dependabot-rebase.yml b/.github/workflows/dependabot-rebase.yml index bf08cb25..0f33df20 100644 --- a/.github/workflows/dependabot-rebase.yml +++ b/.github/workflows/dependabot-rebase.yml @@ -19,39 +19,39 @@ jobs: - name: Find and rebase Dependabot PRs run: | echo "Finding Dependabot PRs that are out of date..." - + # Get all open Dependabot PRs DEPENDABOT_PRS=$(gh pr list \ --author "dependabot[bot]" \ --state open \ --json number,title,headRefName,mergeable,mergeStateStatus \ --jq '.[] | select(.mergeStateStatus == "BEHIND") | .number') - + if [ -z "$DEPENDABOT_PRS" ]; then echo "No out-of-date Dependabot PRs found." exit 0 fi - + echo "Found out-of-date PRs: $DEPENDABOT_PRS" - + # Rebase each out-of-date PR for PR_NUMBER in $DEPENDABOT_PRS; do echo "Rebasing PR #$PR_NUMBER..." - + # Comment on PR that we're rebasing it gh pr comment "$PR_NUMBER" \ --body "🔄 **Auto-rebase triggered** - + This PR was behind the base branch and has been updated automatically. CI checks will re-run, and the PR will auto-merge when all checks pass." - + # Trigger Dependabot to rebase the PR gh pr comment "$PR_NUMBER" --body "@dependabot rebase" - + echo "Rebase triggered for PR #$PR_NUMBER" sleep 2 # Rate limiting done - + echo "Rebase process completed." env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index de6c0738..38c2ebd7 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -131,7 +131,7 @@ jobs: if [[ -f "docs/VERSION_OVERVIEW.md" ]]; then # Update last updated date sed -i "s/\*\*Last Updated\*\*:.*/\*\*Last Updated\*\*: $(date '+%B %d, %Y')/" docs/VERSION_OVERVIEW.md - + # Update GitHub Actions Runner version if changed if [[ "${{ steps.check-updates.outputs.runner-needs-update }}" == "true" ]]; then echo "GitHub Actions Runner update available: ${{ steps.check-updates.outputs.latest-runner }}" @@ -175,7 +175,7 @@ jobs: echo "Checking $dockerfile for security updates..." base_image=$(grep -E '^FROM' "$dockerfile" | head -1 | cut -d' ' -f2) echo "Base image: $base_image" - + # In practice, you'd pull and scan the image echo "Security scan would be performed here" fi @@ -220,11 +220,8 @@ jobs: - name: Checkout code uses: actions/checkout@v6 - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run comprehensive security scan uses: aquasecurity/trivy-action@0.34.1 @@ -240,7 +237,7 @@ jobs: continue-on-error: true with: sarif_file: "dependency-security-scan.sarif" - category: "filesystem-scan" + category: "maintenance-filesystem-scan" - name: Check for known security patches run: | @@ -256,60 +253,7 @@ jobs: for patch in "${security_patches[@]}"; do IFS=':' read -r package cve description <<< "$patch" echo "Checking patch: $package ($cve - $description)" - - # Check if patch is present in Dockerfiles - if grep -q "$package" docker/Dockerfile* 2>/dev/null; then - echo "✅ $package patch is applied" - else - echo "❌ $package patch may be missing - requires review" - fi - done - - - name: Monitor for new CVEs - run: | - echo "Monitoring for new security advisories..." - - # Check GitHub Security Advisories for dependencies - # In practice, this would use GitHub's GraphQL API to check for new advisories - echo "Security advisory monitoring completed" - - # Generate security status report - cat > security-status.md << 'EOF' - # Security Status Report - - Generated: $(date -u) - - ## Applied Security Patches - - ✅ VDB-216777/CVE-2020-36632: flat@5.0.2 (Prototype pollution) - - ✅ CVE-2025-9288: sha.js@2.4.12 (Cypress SHA.js vulnerability) - - ✅ CVE-2024-37890: ws@8.17.1 (WebSocket DoS vulnerability) - - ## Security Scanning - - ✅ Weekly Trivy filesystem scans - - ✅ Container image vulnerability scanning - - ✅ SARIF upload to GitHub Security tab - - ## Recommendations - - Continue monitoring for new security advisories - - Maintain up-to-date base images - - Regular dependency updates - EOF - - - name: Check for known security patches - run: | - echo "Checking security patch status..." - # Check if known security fixes are still applied - security_patches=( - "flat@5.0.2:VDB-216777/CVE-2020-36632:Prototype pollution fix" - "sha.js@2.4.12:CVE-2025-9288:Cypress dependency fix" - "ws@8.17.1:CVE-2024-37890:WebSocket DoS fix" - ) - - for patch in "${security_patches[@]}"; do - IFS=':' read -r package cve description <<< "$patch" - echo "Checking patch: $package ($cve - $description)" - # Check if patch is present in Dockerfiles if grep -q "$package" docker/Dockerfile* 2>/dev/null; then echo "✅ $package patch is applied" @@ -327,14 +271,14 @@ jobs: echo "Security advisory monitoring completed" # Generate security status report - cat > security-status.md << 'EOF' + cat > security-status.md << EOF # Security Status Report Generated: $(date -u) ## Applied Security Patches - ✅ VDB-216777/CVE-2020-36632: flat@5.0.2 (Prototype pollution) - - ✅ CVE-2025-9288: sha.js@2.4.12 (Cypress SHA.js vulnerability) + - ✅ CVE-2025-9288: sha.js@2.4.12 (Cypress SHA.js vulnerability) - ✅ CVE-2024-37890: ws@8.17.1 (WebSocket DoS vulnerability) ## Security Scanning @@ -356,16 +300,16 @@ jobs: # Parse SARIF for severity levels critical_count=$(jq '[.runs[].results[] | select(.level == "error")] | length' dependency-security-scan.sarif 2>/dev/null || echo "0") high_count=$(jq '[.runs[].results[] | select(.level == "warning")] | length' dependency-security-scan.sarif 2>/dev/null || echo "0") - + echo "Critical vulnerabilities: $critical_count" echo "High/Warning vulnerabilities: $high_count" - + if [[ $critical_count -gt 0 ]]; then echo "::error::Critical vulnerabilities found! Immediate action required." # Create issue for critical vulnerabilities echo "Critical security issues detected - manual review required" fi - + if [[ $high_count -gt 10 ]]; then echo "::warning::Multiple security issues found - review recommended." fi @@ -406,17 +350,17 @@ jobs: # Check for broken internal links in markdown files find docs/ wiki-content/ -name "*.md" -type f | while read -r file; do echo "Checking links in $file" - + # Extract markdown links grep -oE '\[.*\]\([^)]+\)' "$file" | while read -r link; do url=$(echo "$link" | sed 's/.*(\([^)]*\)).*/\1/') - + # Check internal file links (relative paths) if [[ ! "$url" =~ ^https?:// ]] && [[ ! "$url" =~ ^# ]]; then # Resolve relative path dir=$(dirname "$file") target_file="$dir/$url" - + if [[ ! -f "$target_file" ]] && [[ ! -d "$target_file" ]]; then echo "::warning::Broken link in $file: $url" fi @@ -459,7 +403,7 @@ jobs: for file in wiki-content/*.md; do filename=$(basename "$file") wiki_file="wiki-repo/$filename" - + if [[ -f "$wiki_file" ]]; then if ! diff -q "$file" "$wiki_file" > /dev/null; then echo "::warning::Wiki content out of sync: $filename" @@ -503,7 +447,7 @@ jobs: status: 'completed', per_page: 100 }); - + for (const run of runs.data.workflow_runs) { const runDate = new Date(run.created_at); if (runDate < cutoffDate) { @@ -586,13 +530,13 @@ jobs: script_issues=0 find scripts/ -name "*.sh" -type f | while read -r script; do echo "Checking $script..." - + # Check if executable if [[ ! -x "$script" ]]; then echo "::warning::Script $script is not executable" ((script_issues++)) fi - + # Check syntax if ! bash -n "$script" 2>/dev/null; then echo "::error::Script $script has syntax errors" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e2423447..fcec9c74 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -239,11 +239,8 @@ jobs: matrix: scan: [standard, chrome, chrome-go] steps: - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy vulnerability scanner (standard) if: matrix.scan == 'standard' uses: aquasecurity/trivy-action@0.34.1 @@ -274,25 +271,25 @@ jobs: continue-on-error: true with: sarif_file: "release-security-scan.sarif" - category: "container-scan" + category: "release-container-scan-standard" - name: Upload security scan results (chrome) if: matrix.scan == 'chrome' uses: github/codeql-action/upload-sarif@v4 continue-on-error: true with: sarif_file: "release-chrome-security-scan.sarif" - category: "container-scan-chrome" + category: "release-container-scan-chrome" - name: Upload security scan results (chrome-go) if: matrix.scan == 'chrome-go' uses: github/codeql-action/upload-sarif@v4 continue-on-error: true with: sarif_file: "release-chrome-go-security-scan.sarif" - category: "container-scan-chrome-go" + category: "release-container-scan-chrome-go" - name: Check for critical vulnerabilities (standard) if: matrix.scan == 'standard' run: | - critical_count=$(grep -c "CRITICAL" release-security-scan.sarif || echo "0") + critical_count=$(jq '[.runs[].results[] | select(.level == "error")] | length' release-security-scan.sarif 2>/dev/null || echo "0") if [[ $critical_count -gt 0 ]]; then echo "::error::Critical vulnerabilities found in standard release image!" echo "::error::Cannot proceed with release. Please fix vulnerabilities first." @@ -302,7 +299,7 @@ jobs: - name: Check for critical vulnerabilities (chrome) if: matrix.scan == 'chrome' run: | - critical_count=$(grep -c "CRITICAL" release-chrome-security-scan.sarif || echo "0") + critical_count=$(jq '[.runs[].results[] | select(.level == "error")] | length' release-chrome-security-scan.sarif 2>/dev/null || echo "0") if [[ $critical_count -gt 0 ]]; then echo "::error::Critical vulnerabilities found in Chrome release image!" echo "::error::Cannot proceed with release. Please fix vulnerabilities first." @@ -312,7 +309,7 @@ jobs: - name: Check for critical vulnerabilities (chrome-go) if: matrix.scan == 'chrome-go' run: | - critical_count=$(grep -c "CRITICAL" release-chrome-go-security-scan.sarif || echo "0") + critical_count=$(jq '[.runs[].results[] | select(.level == "error")] | length' release-chrome-go-security-scan.sarif 2>/dev/null || echo "0") if [[ $critical_count -gt 0 ]]; then echo "::error::Critical vulnerabilities found in Chrome-Go release image!" echo "::error::Cannot proceed with release. Please fix vulnerabilities first." diff --git a/.github/workflows/security-advisories.yml b/.github/workflows/security-advisories.yml index f7449b12..f4652adb 100644 --- a/.github/workflows/security-advisories.yml +++ b/.github/workflows/security-advisories.yml @@ -2,7 +2,7 @@ name: Security Advisory Management on: schedule: - - cron: "0 2 * * 1" # Weekly on Monday at 2 AM UTC + - cron: "0 3 * * 1" # Weekly on Monday at 3 AM UTC (staggered from maintenance at 2AM) workflow_dispatch: inputs: severity_filter: @@ -59,11 +59,8 @@ jobs: - name: Create results directory run: mkdir -p trivy-results - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy # Filesystem vulnerability scan - name: Run Trivy filesystem scan @@ -82,7 +79,7 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: "trivy-results/filesystem.sarif" - category: "filesystem-scan" + category: "advisory-filesystem-scan" continue-on-error: true - name: Generate filesystem JSON report @@ -110,8 +107,8 @@ jobs: push: false tags: github-runner:scan load: true - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=advisory-normal-runner + cache-to: type=gha,mode=max,scope=advisory-normal-runner - name: Verify image exists if: contains(steps.params.outputs.scan_targets, 'container') @@ -140,7 +137,7 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: "trivy-results/container.sarif" - category: "container-scan" + category: "advisory-container-scan" continue-on-error: true - name: Generate container JSON report @@ -172,8 +169,8 @@ jobs: push: false tags: github-runner-chrome:scan load: true - cache-from: type=gha - cache-to: type=gha,mode=max + cache-from: type=gha,scope=advisory-chrome-runner + cache-to: type=gha,mode=max,scope=advisory-chrome-runner - name: Verify Chrome image exists if: contains(steps.params.outputs.scan_targets, 'chrome') @@ -202,7 +199,7 @@ jobs: uses: github/codeql-action/upload-sarif@v4 with: sarif_file: "trivy-results/chrome.sarif" - category: "chrome-container-scan" + category: "advisory-chrome-container-scan" continue-on-error: true - name: Generate Chrome JSON report @@ -240,19 +237,19 @@ jobs: for result_file in trivy-results/*.json; do if [[ -f "$result_file" ]]; then target=$(basename "$result_file" .json) - + critical=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' "$result_file" 2>/dev/null || echo "0") high=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH")] | length' "$result_file" 2>/dev/null || echo "0") medium=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity == "MEDIUM")] | length' "$result_file" 2>/dev/null || echo "0") low=$(jq -r '[.Results[]?.Vulnerabilities[]? | select(.Severity == "LOW")] | length' "$result_file" 2>/dev/null || echo "0") - + target_total=$((critical + high + medium + low)) - + total_critical=$((total_critical + critical)) total_high=$((total_high + high)) total_medium=$((total_medium + medium)) total_low=$((total_low + low)) - + echo "| $target | $critical | $high | $medium | $low | $target_total |" >> $GITHUB_STEP_SUMMARY fi done @@ -299,12 +296,12 @@ jobs: - name: Create Security Summary Report run: | - cat > security-report.md << 'EOF' + cat > security-report.md << EOF # 🔒 GitHub Runner Security Report - **Generated**: $(date -u '+%Y-%m-%d %H:%M:%S UTC') - **Repository**: ${{ github.repository }} - **Branch**: ${{ github.ref_name }} + **Generated**: $(date -u '+%Y-%m-%d %H:%M:%S UTC') + **Repository**: ${{ github.repository }} + **Branch**: ${{ github.ref_name }} **Workflow Run**: [${{ github.run_number }}](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) ## 📊 Scan Configuration @@ -371,7 +368,7 @@ jobs: thirtyDaysAgo.setDate(thirtyDaysAgo.getDate() - 30); const oldSecurityArtifacts = artifacts.artifacts.filter(artifact => { - const isSecurityArtifact = artifact.name.includes('security-scan-reports') || + const isSecurityArtifact = artifact.name.includes('security-scan-reports') || artifact.name.includes('security-summary'); const isOld = new Date(artifact.created_at) < thirtyDaysAgo; return isSecurityArtifact && isOld; diff --git a/.github/workflows/seed-trivy-sarif.yml b/.github/workflows/seed-trivy-sarif.yml index 5008bcec..2e84ca5b 100644 --- a/.github/workflows/seed-trivy-sarif.yml +++ b/.github/workflows/seed-trivy-sarif.yml @@ -41,7 +41,7 @@ on: push: branches: [main] # Only on production deployments schedule: - - cron: '0 2 * * 1' # Weekly deep scan on Monday 2 AM UTC + - cron: '0 4 * * 1' # Weekly deep scan on Monday 4 AM UTC (staggered from maintenance at 2AM, advisories at 3AM) permissions: contents: read @@ -57,11 +57,8 @@ jobs: - name: Checkout code uses: actions/checkout@v6 - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy filesystem scan (generate SARIF) uses: aquasecurity/trivy-action@0.34.1 @@ -81,7 +78,7 @@ jobs: if: always() with: sarif_file: "trivy-filesystem-baseline.sarif" - category: "filesystem-scan" + category: "baseline-filesystem-scan" - name: Upload SARIF as artifact uses: actions/upload-artifact@v6 @@ -126,11 +123,8 @@ jobs: - name: Verify image loaded run: docker images | grep github-runner-${{ matrix.variant }} - - name: Install Trivy via apt - run: | - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee /etc/apt/sources.list.d/trivy.list - sudo apt-get update -qq && sudo apt-get install -y trivy + - name: Install Trivy + uses: ./.github/actions/install-trivy - name: Run Trivy container scan (generate SARIF) uses: aquasecurity/trivy-action@0.34.1 @@ -150,7 +144,7 @@ jobs: if: always() with: sarif_file: "trivy-container-${{ matrix.variant }}-baseline.sarif" - category: "container-scan-${{ matrix.variant }}" + category: "baseline-container-scan-${{ matrix.variant }}" - name: Upload SARIF as artifact uses: actions/upload-artifact@v6 diff --git a/docker/docker-compose.chrome-go.yml b/docker/docker-compose.chrome-go.yml index c1bb167b..9cf32e4f 100644 --- a/docker/docker-compose.chrome-go.yml +++ b/docker/docker-compose.chrome-go.yml @@ -97,4 +97,4 @@ volumes: networks: runner-network: driver: bridge - name: github-runners \ No newline at end of file + name: github-runners diff --git a/scripts/populate-wiki.sh b/scripts/populate-wiki.sh index 8f8369f3..38661148 100755 --- a/scripts/populate-wiki.sh +++ b/scripts/populate-wiki.sh @@ -26,7 +26,7 @@ create_wiki_pages() { cd wiki-repo || exit 1 else cd wiki-repo || exit 1 - git pull origin main + git pull origin master fi echo "Copying wiki content..." @@ -50,7 +50,7 @@ create_wiki_pages() { - Add common issues and troubleshooting guide - Include quick start links and external resources" - git push origin main + git push origin master echo "" echo "✅ Wiki populated successfully!" diff --git a/wiki-content/Home.md b/wiki-content/Home.md index ddd4cfc1..386ddd01 100644 --- a/wiki-content/Home.md +++ b/wiki-content/Home.md @@ -7,14 +7,19 @@ Welcome to the comprehensive documentation for the GitHub Actions Self-Hosted Ru ## 🎯 **Latest Updates** -### � **Release v2.2.0 Available** (November 14, 2025) - -- **Image Versions**: Standard Runner v2.2.0, Chrome Runner v2.2.0 with npm `tar@7.5.2` override -- **Browser Stack**: Chrome 142.0.7444.162, Playwright 1.58.2, Cypress 15.11.0, Node.js 24.14.0 -- **Documentation Sync**: README, changelog, wiki, and release notes fully updated — see [Release Notes v2.2.0](../docs/releases/RELEASE_NOTES_v2.2.0.md) +### 🚀 **Release v2.4.0 Available** (March 1, 2026) + +- **Image Versions**: Standard Runner v2.4.0, Chrome Runner v2.4.0, Chrome-Go Runner v2.4.0 +- **Base Image**: Switched to `ubuntu:resolute` (25.10) across all Dockerfiles for latest browser dependencies +- **Browser Stack**: Chrome for Testing **146.0.7680.31**, Playwright **1.58.2**, Cypress **15.11.0**, Node.js **24.14.0** (LTS Krypton), npm **11.11.0** +- **Go Toolchain**: Go **1.26.0** in Chrome-Go runner +- **GitHub Actions Runner**: Bumped to **v2.331.0** +- **Security Overrides**: `tar@7.5.9`, `brace-expansion@5.0.4`, `@isaacs/brace-expansion@5.0.1`, `glob@13.0.6`, `minimatch@10.2.4`, `diff@8.0.3` +- **CI/CD Fix**: Trivy scanner now installs via apt repository (fixes broken wget download); `trivy-action` pinned to `0.34.1` +- **Playwright**: Configured to use system Chrome binary via `PLAYWRIGHT_CHROMIUM_EXECUTABLE_PATH` - **Quality Gates**: Docker validation, security scans, and runner self-tests passing ✅ -### �🔒 **Critical Security Improvements** (January 15, 2025) +### 🔒 **Critical Security Improvements** (January 15, 2025) - **Security Patches**: ✅ VDB-216777/CVE-2020-36632, CVE-2025-9288, CVE-2024-37890 resolved - **Performance**: Optimized Docker images with comprehensive cache cleaning @@ -30,13 +35,17 @@ Welcome to the comprehensive documentation for the GitHub Actions Self-Hosted Ru ## 📊 **Current Versions** -| Component | Standard Runner | Chrome Runner | Security Status | -| ------------------------- | --------------- | ------------- | ----------------------- | -| **Image Version** | v2.2.0 | v2.2.0 | ✅ Latest | -| **GitHub Actions Runner** | v2.331.0 | v2.331.0 | ✅ Latest | -| **Node.js** | - | 24.14.0 | ✅ Chrome Runner Only | -| **Playwright** | - | 1.58.2 | ✅ Latest | -| **Cypress** | - | 15.11.0 | ✅ Latest | +| Component | Standard Runner | Chrome Runner | Chrome-Go Runner | Security Status | +| ------------------------- | --------------- | ------------------ | ------------------ | ----------------------- | +| **Image Version** | v2.4.0 | v2.4.0 | v2.4.0 | ✅ Latest | +| **Base Image** | ubuntu:resolute | ubuntu:resolute | ubuntu:resolute | ✅ Latest | +| **GitHub Actions Runner** | v2.331.0 | v2.331.0 | v2.331.0 | ✅ Latest | +| **Node.js** | - | 24.14.0 (Krypton) | 24.14.0 (Krypton) | ✅ Chrome Runner Only | +| **npm** | - | 11.11.0 | 11.11.0 | ✅ Latest | +| **Chrome for Testing** | - | 146.0.7680.31 | 146.0.7680.31 | ✅ Latest | +| **Playwright** | - | 1.58.2 | 1.58.2 | ✅ Latest | +| **Cypress** | - | 15.11.0 | 15.11.0 | ✅ Latest | +| **Go** | - | - | 1.26.0 | ✅ Chrome-Go Only | > 📋 **Full Version Details**: [Version Overview](../docs/VERSION_OVERVIEW.md)