Modularize and standardize GitHub Actions workflows.

.github/dependabot.yml

@@ -0,0 +1,28 @@
+
+version: 2
+updates:
+
+  - package-ecosystem: "gitsubmodule"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/package-release.yml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-18.04
     steps:
       # use this for main repo master builds
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
         with:
           path: ${{ env.OSCAL_HOME }}
           submodules: recursive
@@ -41,7 +41,7 @@ jobs:
           bash "${OSCAL_CICD_PATH}/package-release.sh" "${OSCAL_WORKING_PATH}"
           tar -jcvf "${OSCAL_WORKING_PATH}/${RELEASE_NAME}.tar.bz2" -C "${OSCAL_WORKING_PATH}/archive" .
           (cd "${OSCAL_WORKING_PATH}/archive" && zip -r "../${RELEASE_NAME}.zip" .)
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3
         with:
           name: release-artifacts
           path: |

.github/workflows/workflow-generate-metaschema-resources.yml

@@ -45,7 +45,7 @@ jobs:
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Latest (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.CHECKOUT_PATH }}
         token: ${{ secrets.COMMIT_TOKEN }}
@@ -54,7 +54,7 @@ jobs:
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Latest (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.CHECKOUT_PATH }}
         token: ${{ secrets.access_token }}
@@ -63,21 +63,21 @@ jobs:
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Latest
       if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.CHECKOUT_PATH }}
         submodules: recursive
     # Setup runtime environment
     # -------------------------
     # Java JDK 11
     - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf #current tag: v2
       with:
         java-version: 11
         distribution: 'temurin'
         cache: 'maven'
     - name: Set up NodeJS
-      uses: actions/setup-node@v2
+      uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 #current-tag: v2
       with:
         node-version-file: '${{ env.CHECKOUT_PATH }}/build/.nvmrc'
         cache: 'npm'
@@ -121,7 +121,7 @@ jobs:
       run: |
         zip ${{ runner.temp }}/metaschema-artifacts.zip -r xml/schema/*.xsd json/schema/*.json xml/convert/*.xsl json/convert/*.xsl
       working-directory: ${{ env.CHECKOUT_PATH }}
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3
       with:
         name: schemas-and-converters
         path: |
@@ -132,13 +132,9 @@ jobs:
     - name: Publish Schemas and Converters
       # only do this on master
       if: github.event.inputs.commit_resources == 'true' || inputs.commit_resources == true
-      uses: stefanzweifel/[email protected]
+      uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b #current tag: v4.9.2
       with:
         repository: ${{ env.CHECKOUT_PATH }}
         file_pattern: xml json
-        # push_options: --force-with-lease
         skip_dirty_check: false
         commit_message: Publishing generated metaschema resources [ci skip]
-#          commit_user_name: OSCAL GitHub Actions Bot
-#          commit_user_email: [email protected]
-#          commit_author: OSCAL GitHub Actions Bot <[email protected]>

.github/workflows/workflow-generate-website-reference.yml

@@ -74,15 +74,15 @@ jobs:
     # 2) The target branch where the metaschemas exist that are the basis of reference information.
     # Checkout the current branch for reading
     - name: Checkout Latest
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.BRANCH_PATH }}
         submodules: recursive
         fetch-depth: 0 # this ensures that the tag and commit history are available
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Main (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.MAIN_PATH }}
         ref: ${{ env.MAIN_BRANCH_REF }}
@@ -92,7 +92,7 @@ jobs:
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Main (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.MAIN_PATH }}
         ref: ${{ env.MAIN_BRANCH_REF }}
@@ -102,7 +102,7 @@ jobs:
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Main
       if: steps.checkout_main_workflow.conclusion == 'skipped' && steps.checkout_main_push.conclusion == 'skipped'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         path: ${{ env.MAIN_PATH }}
         ref: ${{ env.MAIN_BRANCH_REF }}
@@ -111,7 +111,7 @@ jobs:
     # -------------------------
     # Java JDK 11
     - name: Set up JDK 11
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf #current tag: v2
       with:
         java-version: 11
         distribution: 'temurin'
@@ -159,7 +159,7 @@ jobs:
       run: |
         zip ${{ runner.temp }}/metaschema-website.zip -r public/
       working-directory: ${{ env.MAIN_PATH }}/docs
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3
       with:
         name: website
         path: |
@@ -168,7 +168,7 @@ jobs:
     - name: Publish Generated Pages
       # only do this on master
       if: github.event.inputs.commit_resources == 'true' || inputs.commit_resources == true
-      uses: stefanzweifel/[email protected]
+      uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b #current tag: v4.9.2
       with:
         repository: ${{ env.MAIN_PATH }}
         file_pattern: docs

.github/workflows/workflow-generate-website.yml

@@ -81,30 +81,30 @@ jobs:
     # use this for builds triggered from the UI on protected branches
     - name: Checkout Latest (using COMMIT_TOKEN)
       if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         token: ${{ secrets.COMMIT_TOKEN }}
         submodules: recursive
       id: checkout_latest_workflow
     # use this for builds triggered from other workflows on protected branches
     - name: Checkout Latest (using access_token)
       if: github.event_name == 'push' && inputs.commit_resources == true
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         token: ${{ secrets.access_token }}
         submodules: recursive
       id: checkout_latest_push
     # use this for overything else (i.e., pull requests) where publication is not needed
     - name: Checkout Latest
       if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped'
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         submodules: recursive
     # Setup runtime environment
     # -------------------------
     # Java JDK 11
     - name: Set up JDK 11
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf #current tag: v2
       with:
         java-version: 11
         distribution: 'temurin'
@@ -128,7 +128,7 @@ jobs:
     - name: Generate specification documentation
       run: |
         bash "${CICD_PATH}/generate-specification-documentation.sh"
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3
       with:
         name: specification-docs
         path: |
@@ -142,7 +142,7 @@ jobs:
       run: |
         zip ${{ runner.temp }}/metaschema-website.zip -r public/
       working-directory: ${{ github.workspace }}/docs
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3
       with:
         name: website
         path: |
@@ -157,17 +157,17 @@ jobs:
         output: html_link_report.md
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - uses: actions/upload-artifact@v3 # current: 6673cd052c4cd6fcf4b4e6e60ea986c889389535
+    - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3
       with:
         name: html_link_report
         path: html_link_report.md
         retention-days: 5
-    - uses: actions/github-script@v3 # current: f05a81df23035049204b043b50c3322045ce7eb3
+    - uses: actions/github-script@7a5c598405937d486b0331594b5da2b14db670da #current tag: v6 # current: f05a81df23035049204b043b50c3322045ce7eb3
       if: steps.linkchecker.outputs.exit_code != 0
       with:
         script: |
           core.setFailed('Link checker detected broken or invalid links, read attached report.')
-    - uses: actions/github-script@v3 # current: f05a81df23035049204b043b50c3322045ce7eb3
+    - uses: actions/github-script@7a5c598405937d486b0331594b5da2b14db670da #current tag: v6 # current: f05a81df23035049204b043b50c3322045ce7eb3
       if: steps.linkchecker.outputs.exit_code != 0 && (github.event.inputs.bad_links_fail_build == 'true' || inputs.bad_links_fail_build == true)
       with:
         script: |

.github/workflows/workflow-validate-repo-markdown.yml

@@ -23,13 +23,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     # use this for pulls where checkout is anonymous
-    - uses: actions/checkout@v3 # current: dcd71f646680f2efd8db4afa5ad64fdcba30e748
+    - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         submodules: recursive
     # Setup runtime environment
     # -------------------------
     - name: Set up NodeJS
-      uses: actions/setup-node@v3 # current: 56337c425554a6be30cdef71bf441f15be286854 
+      uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 #current-tag: v2
       with:
         node-version-file: 'build/.nvmrc'
         cache: 'npm'

.github/workflows/workflow-validate-website-content.yml

@@ -23,11 +23,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Latest
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         fetch-depth: 0 # this ensures that the tag and commit history are available
     - name: Checkout git ref of published website content
-      uses: actions/checkout@v3
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3
       with:
         ref: ${{ inputs.site_git_ref }}
         path: ${{ inputs.site_git_ref_path }}

build/Dockerfile

@@ -1,49 +1,45 @@
-FROM ubuntu:20.04 as base-environment
-
-ADD ./ci-cd/python/requirements.txt .
+FROM ubuntu:22.04 as base-environment
 
 ENV TZ=US/Eastern
 RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
 
 RUN apt-get update && apt-get dist-upgrade -y
 
-FROM base-environment as oscal-dependencies
+FROM base-environment as oscal-os-dependencies
+
+RUN apt-get install -y \
+    apt-utils build-essential git jq libxml2-utils maven nodejs npm python3-pip unzip wget && \
+    apt-get clean
+
+FROM oscal-os-dependencies as oscal-runtime-dependencies
 
-ARG saxonversion
 ARG hugoversion
-ARG calabashversion
 
-RUN apt-get install -y apt-utils build-essential git jq libxml2-utils maven nodejs npm python3-pip unzip wget && apt-get clean
-RUN npm install -g npm n
-RUN n latest
-RUN npm install --loglevel verbose -g ajv-cli@"^4.0.x" ajv-formats@"^1.5.x" json-diff markdown-link-check yaml-convert@"^1.0.x" yargs
-RUN pip3 install -r requirements.txt
+RUN mkdir -p /opt/oscal
 
-#RUN useradd --create-home --home-dir /home/user user
-#USER user
+WORKDIR /opt/oscal
 
-ENV SAXON_VERSION=${saxonversion}
+ADD ./ci-cd/python/requirements.txt .
+ADD ./package.json .
+ADD ./package-lock.json .
+ADD ./pom.xml .
 
-RUN mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:get -DartifactId=Saxon-HE -DgroupId=net.sf.saxon -Dversion=${SAXON_VERSION}
+RUN npm ci && \
+    pip3 install -r requirements.txt && \
+    mvn dependency:copy-dependencies -DoutputDirectory=/opt/oscal
 
 ENV HUGO_VERSION=${hugoversion}
 RUN wget https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb
 RUN dpkg -i hugo_extended_${HUGO_VERSION}_Linux-64bit.deb
 
-# calabash
-ENV CALABASH_VERSION=${calabashversion}
-ENV CALABASH_HOME=/dependencies/calabash
-RUN wget https://github.com/ndw/xmlcalabash1/releases/download/${CALABASH_VERSION}/xmlcalabash-${CALABASH_VERSION}.zip
-RUN mkdir -p "${CALABASH_HOME}"
-RUN unzip -d "${CALABASH_HOME}" "xmlcalabash-${CALABASH_VERSION}.zip"
-RUN f=`ls -d "${CALABASH_HOME}"/*| xargs` && mv "${CALABASH_HOME}"/*/* "${CALABASH_HOME}" && rmdir "${f}"
-
-#RUN chown -R user:user /home/user
-
-FROM oscal-dependencies as oscal-base
+FROM oscal-runtime-dependencies as oscal-base
 VOLUME ["/oscal"]
 WORKDIR /oscal
 
 FROM oscal-base as cli
 
+ENV SAXON_HOME=/opt/oscal
+ENV CALABASH_HOME=${SAXON_HOME}
+ENV PATH=/opt/oscal/node_modules/.bin:${PATH}
+
 ENTRYPOINT ["/bin/bash"]

build/docker-compose.yml

@@ -7,9 +7,7 @@ services:
       context: .
       target: cli
       args:
-        saxonversion: 10.6
         hugoversion: 0.83.1
-        calabashversion: 1.2.5-100
     volumes:
       - "../:/oscal"
     ports: