Skip to content
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions .github/workflows/copyright-headers.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: Copyright Headers

on:
pull_request:
paths:
- 'docs/docusaurus/src/**'
- '.github/workflows/copyright-headers.yml'
workflow_call:
inputs:
soft-fail:
description: 'Whether to continue on copyright header violations'
required: false
type: boolean
default: false

permissions:
contents: read

jobs:
copyright-headers:
name: Copyright Header Validation
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4

Check warning on line 27 in .github/workflows/copyright-headers.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/checkout@v4 (Severity: High)
Comment thread Fixed
with:
persist-credentials: false
fetch-depth: 0

- name: Validate copyright headers
id: validate
shell: bash
run: |
MISSING=0
HEADER_PATTERN="Copyright (c) Microsoft Corporation"

echo "Checking copyright headers in docs/docusaurus/src/..."
while IFS= read -r -d '' file; do
if ! head -5 "$file" | grep -q "$HEADER_PATTERN"; then
echo "::warning file=${file}::Missing copyright header: ${file}"
MISSING=$((MISSING + 1))
fi
done < <(find docs/docusaurus/src -type f \( -name '*.ts' -o -name '*.tsx' -o -name '*.js' -o -name '*.jsx' -o -name '*.css' \) -print0)

echo "Files missing headers: $MISSING"
if [ "$MISSING" -gt 0 ]; then
echo "COPYRIGHT_FAILED=true" >> "$GITHUB_ENV"
fi
continue-on-error: ${{ inputs.soft-fail }}

- name: Check results
if: ${{ !inputs.soft-fail }}
shell: bash
run: |
if [ "$COPYRIGHT_FAILED" = "true" ]; then
echo "::error::Copyright header validation found violations"
exit 1
fi
82 changes: 82 additions & 0 deletions .github/workflows/deploy-docs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# Docusaurus documentation site deployment
# Prerequisite: Enable GitHub Pages in repo Settings > Pages > Source: GitHub Actions
# and allow the target branch in Settings > Environments > github-pages > Deployment branches

name: Deploy Documentation Site

on:
push:
branches:
- main
paths:
- 'docs/**'
- '.github/workflows/deploy-docs.yml'
workflow_dispatch:

concurrency:
group: pages-deploy-${{ github.ref }}
cancel-in-progress: false

permissions:
contents: read

jobs:
test:
name: Docusaurus Tests
uses: ./.github/workflows/docusaurus-tests.yml
permissions:
contents: read
with:
soft-fail: false

build:
name: Build Docusaurus
needs: test
runs-on: ubuntu-latest
permissions:
contents: read
pages: write
steps:
- name: Checkout
uses: actions/checkout@v4

Check warning on line 41 in .github/workflows/deploy-docs.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/checkout@v4 (Severity: High)
Comment thread Fixed
with:
persist-credentials: false
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4

Check warning on line 47 in .github/workflows/deploy-docs.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/setup-node@v4 (Severity: High)
Comment thread Fixed
with:
node-version: 20
cache: npm
cache-dependency-path: docs/docusaurus/package-lock.json

- name: Install dependencies
working-directory: docs/docusaurus
run: npm ci

- name: Build site
working-directory: docs/docusaurus
run: npm run build

- name: Configure Pages
uses: actions/configure-pages@v5

Check warning on line 62 in .github/workflows/deploy-docs.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/configure-pages@v5 (Severity: High)
Comment thread Fixed

- name: Upload artifact
uses: actions/upload-pages-artifact@v3

Check warning on line 65 in .github/workflows/deploy-docs.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/upload-pages-artifact@v3 (Severity: High)
Comment thread Fixed
with:
path: docs/docusaurus/build

deploy:
name: Deploy to GitHub Pages
needs: build
runs-on: ubuntu-latest
permissions:
pages: write
id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4

Check warning on line 82 in .github/workflows/deploy-docs.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/deploy-pages@v4 (Severity: High)
Comment thread Fixed
58 changes: 58 additions & 0 deletions .github/workflows/docusaurus-tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Docusaurus Tests

on:
pull_request:
paths:
- 'docs/docusaurus/**'
- '.github/workflows/docusaurus-tests.yml'
workflow_call:
inputs:
soft-fail:
description: 'Whether to continue on test failures'
required: false
type: boolean
default: false

permissions:
contents: read

jobs:
docusaurus:
name: Docusaurus Unit Tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Checkout code
uses: actions/checkout@v4

Check warning on line 27 in .github/workflows/docusaurus-tests.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/checkout@v4 (Severity: High)
Comment thread Fixed
with:
persist-credentials: false

- name: Setup Node.js
uses: actions/setup-node@v4

Check warning on line 32 in .github/workflows/docusaurus-tests.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/setup-node@v4 (Severity: High)
Comment thread Fixed
with:
node-version: '20'
cache: npm
cache-dependency-path: docs/docusaurus/package-lock.json

- name: Install dependencies
working-directory: docs/docusaurus
run: npm ci

- name: Run tests
working-directory: docs/docusaurus
run: npm test
continue-on-error: ${{ inputs.soft-fail }}

- name: Build verification
working-directory: docs/docusaurus
run: npm run build

- name: Upload test results
if: always()
uses: actions/upload-artifact@v4

Check warning on line 53 in .github/workflows/docusaurus-tests.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/upload-artifact@v4 (Severity: High)
Comment thread Fixed
with:
name: docusaurus-test-results
path: docs/docusaurus/test-results/
retention-days: 30
if-no-files-found: ignore
129 changes: 129 additions & 0 deletions .github/workflows/gitleaks-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,129 @@
name: Gitleaks Secret Scan

on:
pull_request:
push:
branches:
- main
workflow_call:
inputs:
soft-fail:
description: 'Whether to continue on secret detection'
required: false
type: boolean
default: false

permissions:
contents: read

jobs:
scan:
name: Gitleaks Secret Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4

Check warning on line 28 in .github/workflows/gitleaks-scan.yml

View workflow job for this annotation

GitHub Actions / Dependency Pinning / Validate SHA Pinning Compliance

Unpinned github-actions dependency: actions/checkout@v4 (Severity: High)
Comment thread Fixed
with:
persist-credentials: false
fetch-depth: 0

- name: Download and verify gitleaks
shell: bash
run: |
set -euo pipefail

GITLEAKS_VERSION="8.30.0"
GITLEAKS_SHA256="79a3ab579b53f71efd634f3aaf7e04a0fa0cf206b7ed434638d1547a2470a66e"
GITLEAKS_URL="https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
GITLEAKS_TARBALL="gitleaks.tar.gz"

echo "Downloading gitleaks v${GITLEAKS_VERSION}..."
curl -fsSL -o "${GITLEAKS_TARBALL}" "${GITLEAKS_URL}"

echo "Verifying SHA256 checksum..."
echo "${GITLEAKS_SHA256} ${GITLEAKS_TARBALL}" | sha256sum -c -

echo "Extracting gitleaks binary..."
tar -xzf "${GITLEAKS_TARBALL}" gitleaks
chmod +x gitleaks

echo "Gitleaks version:"
./gitleaks version

- name: Run gitleaks scan
id: gitleaks
shell: bash
run: |
set -euo pipefail

mkdir -p logs

SCAN_ARGS=(
"git"
"--report-format" "sarif"
"--report-path" "logs/gitleaks-results.sarif"
"--redact"
"--log-level" "info"
)

if [ -f ".gitleaksignore" ]; then
echo "Found .gitleaksignore — known secrets will be suppressed."
fi

echo "Running gitleaks scan..."
EXIT_CODE=0
./gitleaks "${SCAN_ARGS[@]}" || EXIT_CODE=$?

if [ "$EXIT_CODE" -eq 0 ]; then
echo "No secrets detected."
echo "leaks-found=false" >> "$GITHUB_OUTPUT"
elif [ "$EXIT_CODE" -eq 1 ]; then
echo "::warning::Gitleaks detected secrets in the repository."
echo "leaks-found=true" >> "$GITHUB_OUTPUT"
if [ "${{ inputs.soft-fail }}" != "true" ]; then
echo "::error::Secret scanning failed. Review detected secrets in logs/gitleaks-results.sarif"
exit 1
fi
else
echo "::error::Gitleaks encountered an unexpected error (exit code: $EXIT_CODE)"
exit "$EXIT_CODE"
fi

- name: Upload SARIF to Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
Comment thread Fixed
with:
sarif_file: logs/gitleaks-results.sarif
category: gitleaks
continue-on-error: true

- name: Upload scan results
if: always()
uses: actions/upload-artifact@v4
Comment thread Fixed
with:
name: gitleaks-results
path: logs/gitleaks-results.sarif
retention-days: 90

- name: Add job summary
if: always()
shell: bash
run: |
LEAKS_FOUND="${{ steps.gitleaks.outputs.leaks-found }}"
if [ "$LEAKS_FOUND" = "true" ]; then
STATUS="⚠️ Secrets Detected"
else
STATUS="✅ No Secrets Found"
fi

cat >> "$GITHUB_STEP_SUMMARY" <<EOF
## Gitleaks Secret Scan Results

| Metric | Value |
|--------|-------|
| Status | $STATUS |

EOF
Loading
Loading