diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000000..5834c9fd98 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,28 @@ + +version: 2 +updates: + + - package-ecosystem: "gitsubmodule" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "daily" + + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/package-release.yml b/.github/workflows/package-release.yml index 91a7b448f0..f17fbdcc4b 100644 --- a/.github/workflows/package-release.yml +++ b/.github/workflows/package-release.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-18.04 steps: # use this for main repo master builds - - uses: actions/checkout@v2 + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.OSCAL_HOME }} submodules: recursive @@ -41,7 +41,7 @@ jobs: bash "${OSCAL_CICD_PATH}/package-release.sh" "${OSCAL_WORKING_PATH}" tar -jcvf "${OSCAL_WORKING_PATH}/${RELEASE_NAME}.tar.bz2" -C "${OSCAL_WORKING_PATH}/archive" . (cd "${OSCAL_WORKING_PATH}/archive" && zip -r "../${RELEASE_NAME}.zip" .) - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3 with: name: release-artifacts path: | diff --git a/.github/workflows/workflow-generate-metaschema-resources.yml b/.github/workflows/workflow-generate-metaschema-resources.yml index 1d84484bc8..1a34d85db2 100644 --- a/.github/workflows/workflow-generate-metaschema-resources.yml +++ b/.github/workflows/workflow-generate-metaschema-resources.yml @@ -45,7 +45,7 @@ jobs: # use this for builds triggered from the UI on protected branches - name: Checkout Latest (using COMMIT_TOKEN) if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true' - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.CHECKOUT_PATH }} token: ${{ secrets.COMMIT_TOKEN }} @@ -54,7 +54,7 @@ jobs: # use this for builds triggered from other workflows on protected branches - name: Checkout Latest (using access_token) if: github.event_name == 'push' && inputs.commit_resources == true - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.CHECKOUT_PATH }} token: ${{ secrets.access_token }} @@ -63,7 +63,7 @@ jobs: # use this for overything else (i.e., pull requests) where publication is not needed - name: Checkout Latest if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped' - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.CHECKOUT_PATH }} submodules: recursive @@ -71,13 +71,13 @@ jobs: # ------------------------- # Java JDK 11 - name: Set up JDK - uses: actions/setup-java@v2 + uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf #current tag: v2 with: java-version: 11 distribution: 'temurin' cache: 'maven' - name: Set up NodeJS - uses: actions/setup-node@v2 + uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 #current-tag: v2 with: node-version-file: '${{ env.CHECKOUT_PATH }}/build/.nvmrc' cache: 'npm' @@ -121,7 +121,7 @@ jobs: run: | zip ${{ runner.temp }}/metaschema-artifacts.zip -r xml/schema/*.xsd json/schema/*.json xml/convert/*.xsl json/convert/*.xsl working-directory: ${{ env.CHECKOUT_PATH }} - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3 with: name: schemas-and-converters path: | @@ -132,13 +132,9 @@ jobs: - name: Publish Schemas and Converters # only do this on master if: github.event.inputs.commit_resources == 'true' || inputs.commit_resources == true - uses: stefanzweifel/git-auto-commit-action@v4.9.2 + uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b #current tag: v4.9.2 with: repository: ${{ env.CHECKOUT_PATH }} file_pattern: xml json - # push_options: --force-with-lease skip_dirty_check: false commit_message: Publishing generated metaschema resources [ci skip] -# commit_user_name: OSCAL GitHub Actions Bot -# commit_user_email: oscal@nist.gov -# commit_author: OSCAL GitHub Actions Bot diff --git a/.github/workflows/workflow-generate-website-reference.yml b/.github/workflows/workflow-generate-website-reference.yml index 27f61c238d..beb21ee96e 100644 --- a/.github/workflows/workflow-generate-website-reference.yml +++ b/.github/workflows/workflow-generate-website-reference.yml @@ -74,7 +74,7 @@ jobs: # 2) The target branch where the metaschemas exist that are the basis of reference information. # Checkout the current branch for reading - name: Checkout Latest - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.BRANCH_PATH }} submodules: recursive @@ -82,7 +82,7 @@ jobs: # use this for builds triggered from the UI on protected branches - name: Checkout Main (using COMMIT_TOKEN) if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true' - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.MAIN_PATH }} ref: ${{ env.MAIN_BRANCH_REF }} @@ -92,7 +92,7 @@ jobs: # use this for builds triggered from other workflows on protected branches - name: Checkout Main (using access_token) if: github.event_name == 'push' && inputs.commit_resources == true - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.MAIN_PATH }} ref: ${{ env.MAIN_BRANCH_REF }} @@ -102,7 +102,7 @@ jobs: # use this for overything else (i.e., pull requests) where publication is not needed - name: Checkout Main if: steps.checkout_main_workflow.conclusion == 'skipped' && steps.checkout_main_push.conclusion == 'skipped' - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: path: ${{ env.MAIN_PATH }} ref: ${{ env.MAIN_BRANCH_REF }} @@ -111,7 +111,7 @@ jobs: # ------------------------- # Java JDK 11 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf #current tag: v2 with: java-version: 11 distribution: 'temurin' @@ -159,7 +159,7 @@ jobs: run: | zip ${{ runner.temp }}/metaschema-website.zip -r public/ working-directory: ${{ env.MAIN_PATH }}/docs - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3 with: name: website path: | @@ -168,7 +168,7 @@ jobs: - name: Publish Generated Pages # only do this on master if: github.event.inputs.commit_resources == 'true' || inputs.commit_resources == true - uses: stefanzweifel/git-auto-commit-action@v4.9.2 + uses: stefanzweifel/git-auto-commit-action@be7095c202abcf573b09f20541e0ee2f6a3a9d9b #current tag: v4.9.2 with: repository: ${{ env.MAIN_PATH }} file_pattern: docs diff --git a/.github/workflows/workflow-generate-website.yml b/.github/workflows/workflow-generate-website.yml index 5e87af8cad..cbc5fb9534 100644 --- a/.github/workflows/workflow-generate-website.yml +++ b/.github/workflows/workflow-generate-website.yml @@ -81,7 +81,7 @@ jobs: # use this for builds triggered from the UI on protected branches - name: Checkout Latest (using COMMIT_TOKEN) if: github.event_name == 'workflow_dispatch' && github.event.inputs.commit_resources == 'true' - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: token: ${{ secrets.COMMIT_TOKEN }} submodules: recursive @@ -89,7 +89,7 @@ jobs: # use this for builds triggered from other workflows on protected branches - name: Checkout Latest (using access_token) if: github.event_name == 'push' && inputs.commit_resources == true - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: token: ${{ secrets.access_token }} submodules: recursive @@ -97,14 +97,14 @@ jobs: # use this for overything else (i.e., pull requests) where publication is not needed - name: Checkout Latest if: steps.checkout_latest_workflow.conclusion == 'skipped' && steps.checkout_latest_push.conclusion == 'skipped' - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: submodules: recursive # Setup runtime environment # ------------------------- # Java JDK 11 - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@f0bb91606209742fe3ea40199be2f3ef195ecabf #current tag: v2 with: java-version: 11 distribution: 'temurin' @@ -128,7 +128,7 @@ jobs: - name: Generate specification documentation run: | bash "${CICD_PATH}/generate-specification-documentation.sh" - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3 with: name: specification-docs path: | @@ -142,7 +142,7 @@ jobs: run: | zip ${{ runner.temp }}/metaschema-website.zip -r public/ working-directory: ${{ github.workspace }}/docs - - uses: actions/upload-artifact@v2 + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3 with: name: website path: | @@ -157,17 +157,17 @@ jobs: output: html_link_report.md env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/upload-artifact@v3 # current: 6673cd052c4cd6fcf4b4e6e60ea986c889389535 + - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 #current tag: v3 with: name: html_link_report path: html_link_report.md retention-days: 5 - - uses: actions/github-script@v3 # current: f05a81df23035049204b043b50c3322045ce7eb3 + - uses: actions/github-script@7a5c598405937d486b0331594b5da2b14db670da #current tag: v6 # current: f05a81df23035049204b043b50c3322045ce7eb3 if: steps.linkchecker.outputs.exit_code != 0 with: script: | core.setFailed('Link checker detected broken or invalid links, read attached report.') - - uses: actions/github-script@v3 # current: f05a81df23035049204b043b50c3322045ce7eb3 + - uses: actions/github-script@7a5c598405937d486b0331594b5da2b14db670da #current tag: v6 # current: f05a81df23035049204b043b50c3322045ce7eb3 if: steps.linkchecker.outputs.exit_code != 0 && (github.event.inputs.bad_links_fail_build == 'true' || inputs.bad_links_fail_build == true) with: script: | diff --git a/.github/workflows/workflow-validate-repo-markdown.yml b/.github/workflows/workflow-validate-repo-markdown.yml index 77e4326a21..db1d859586 100644 --- a/.github/workflows/workflow-validate-repo-markdown.yml +++ b/.github/workflows/workflow-validate-repo-markdown.yml @@ -23,13 +23,13 @@ jobs: runs-on: ubuntu-latest steps: # use this for pulls where checkout is anonymous - - uses: actions/checkout@v3 # current: dcd71f646680f2efd8db4afa5ad64fdcba30e748 + - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: submodules: recursive # Setup runtime environment # ------------------------- - name: Set up NodeJS - uses: actions/setup-node@v3 # current: 56337c425554a6be30cdef71bf441f15be286854 + uses: actions/setup-node@1f8c6b94b26d0feae1e387ca63ccbdc44d27b561 #current-tag: v2 with: node-version-file: 'build/.nvmrc' cache: 'npm' diff --git a/.github/workflows/workflow-validate-website-content.yml b/.github/workflows/workflow-validate-website-content.yml index 06d103ae5d..69ad0c8624 100644 --- a/.github/workflows/workflow-validate-website-content.yml +++ b/.github/workflows/workflow-validate-website-content.yml @@ -23,11 +23,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Latest - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: fetch-depth: 0 # this ensures that the tag and commit history are available - name: Checkout git ref of published website content - uses: actions/checkout@v3 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b #current tag: v3 with: ref: ${{ inputs.site_git_ref }} path: ${{ inputs.site_git_ref_path }} diff --git a/build/Dockerfile b/build/Dockerfile index f667f51c49..62fa086537 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,49 +1,45 @@ -FROM ubuntu:20.04 as base-environment - -ADD ./ci-cd/python/requirements.txt . +FROM ubuntu:22.04 as base-environment ENV TZ=US/Eastern RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone RUN apt-get update && apt-get dist-upgrade -y -FROM base-environment as oscal-dependencies +FROM base-environment as oscal-os-dependencies + +RUN apt-get install -y \ + apt-utils build-essential git jq libxml2-utils maven nodejs npm python3-pip unzip wget && \ + apt-get clean + +FROM oscal-os-dependencies as oscal-runtime-dependencies -ARG saxonversion ARG hugoversion -ARG calabashversion -RUN apt-get install -y apt-utils build-essential git jq libxml2-utils maven nodejs npm python3-pip unzip wget && apt-get clean -RUN npm install -g npm n -RUN n latest -RUN npm install --loglevel verbose -g ajv-cli@"^4.0.x" ajv-formats@"^1.5.x" json-diff markdown-link-check yaml-convert@"^1.0.x" yargs -RUN pip3 install -r requirements.txt +RUN mkdir -p /opt/oscal -#RUN useradd --create-home --home-dir /home/user user -#USER user +WORKDIR /opt/oscal -ENV SAXON_VERSION=${saxonversion} +ADD ./ci-cd/python/requirements.txt . +ADD ./package.json . +ADD ./package-lock.json . +ADD ./pom.xml . -RUN mvn org.apache.maven.plugins:maven-dependency-plugin:2.10:get -DartifactId=Saxon-HE -DgroupId=net.sf.saxon -Dversion=${SAXON_VERSION} +RUN npm ci && \ + pip3 install -r requirements.txt && \ + mvn dependency:copy-dependencies -DoutputDirectory=/opt/oscal ENV HUGO_VERSION=${hugoversion} RUN wget https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_Linux-64bit.deb RUN dpkg -i hugo_extended_${HUGO_VERSION}_Linux-64bit.deb -# calabash -ENV CALABASH_VERSION=${calabashversion} -ENV CALABASH_HOME=/dependencies/calabash -RUN wget https://github.com/ndw/xmlcalabash1/releases/download/${CALABASH_VERSION}/xmlcalabash-${CALABASH_VERSION}.zip -RUN mkdir -p "${CALABASH_HOME}" -RUN unzip -d "${CALABASH_HOME}" "xmlcalabash-${CALABASH_VERSION}.zip" -RUN f=`ls -d "${CALABASH_HOME}"/*| xargs` && mv "${CALABASH_HOME}"/*/* "${CALABASH_HOME}" && rmdir "${f}" - -#RUN chown -R user:user /home/user - -FROM oscal-dependencies as oscal-base +FROM oscal-runtime-dependencies as oscal-base VOLUME ["/oscal"] WORKDIR /oscal FROM oscal-base as cli +ENV SAXON_HOME=/opt/oscal +ENV CALABASH_HOME=${SAXON_HOME} +ENV PATH=/opt/oscal/node_modules/.bin:${PATH} + ENTRYPOINT ["/bin/bash"] diff --git a/build/docker-compose.yml b/build/docker-compose.yml index 6844640ec9..64cb5e59f1 100644 --- a/build/docker-compose.yml +++ b/build/docker-compose.yml @@ -7,9 +7,7 @@ services: context: . target: cli args: - saxonversion: 10.6 hugoversion: 0.83.1 - calabashversion: 1.2.5-100 volumes: - "../:/oscal" ports: diff --git a/build/pom.xml b/build/pom.xml new file mode 100644 index 0000000000..c8fa4d1ca1 --- /dev/null +++ b/build/pom.xml @@ -0,0 +1,60 @@ + + 4.0.0 + + gov.nist.secauto.oscal.tools.core + ci-cd-deps + 1.0.0 + + + UTF-8 + + + pom + + + + + maven.restlet.org + maven.restlet.org + https://maven.restlet.org + + + + + + net.sf.saxon + Saxon-HE + 10.6 + + + com.xmlcalabash + xmlcalabash + 1.2.5-100 + + + + + + + org.apache.maven.plugins + maven-dependency-plugin + 3.3.0 + + + copy-dependencies + package + + copy-dependencies + + + + + + + +