diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d0474d40..c817b251 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,14 @@ defaults: run: shell: bash +permissions: + id-token: write + attestations: write + contents: write + packages: write + pull-requests: read + deployments: read + jobs: build: name: Build on ${{ matrix.target }} @@ -163,8 +171,8 @@ jobs: - name: Build signed installer if: runner.os == 'Windows' run: | - azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps Workbench-%GITHUB_REF_NAME%-win-x64.exe" - azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps Workbench-%GITHUB_REF_NAME%-win-x64.msi" + azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps.Workbench-%GITHUB_REF_NAME%-win-x64.exe" + azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps.Workbench-%GITHUB_REF_NAME%-win-x64.msi" shell: cmd # Ensure this task is right before the Upload @@ -217,6 +225,20 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attest Build Provenance for TGZ + uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0 + with: + subject-path: | + dist/*.zip + dist/*.pkg + dist/*.dmg + dist/*.deb + dist/*.rpm + dist/*.exe + dist/*.tar.gz + dist/*.nsis + dist/*.msi + # Release choco and brew release-brew: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 00000000..986c5b93 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,28 @@ +name: build +on: + push: + branches: + - main + pull_request: +jobs: + build: + name: Run Trivy + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: "MEDIUM,HIGH,CRITICAL" + #scanners: "vuln" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/package.json b/package.json index ac35373c..12d9e823 100755 --- a/package.json +++ b/package.json @@ -30,14 +30,14 @@ "provider": "github" } ], - "artifactName": "${productName}-${version}-${os}-${arch}.${ext}", + "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}", "win": { "icon": "./renderer/assets/images/axonops-icon-256x256.ico", "target": [ "nsis", "msi" ], - "artifactName": "${productName}-${version}-${os}-${arch}.${ext}" + "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}" }, "linux": { "icon": "./renderer/assets/images/", @@ -49,7 +49,7 @@ "Keywords": "cassandra;axonops;development;workbench", "Icon": "/usr/share/icons/hicolor/256x256/apps/axonops-workbench.png" }, - "artifactName": "${productName}-${version}-${os}-${arch}.${ext}" + "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}" }, "mac": { "icon": "./renderer/assets/images/axonops-icon-512x512.icns",