diff --git a/.github/codeql-ci-python-requirements.txt b/.github/codeql-ci-python-requirements.txt new file mode 100644 index 0000000..7deca91 --- /dev/null +++ b/.github/codeql-ci-python-requirements.txt @@ -0,0 +1,10 @@ +beautifulsoup4==4.12.3 +dill==0.3.8 +mpire==2.10.2 +pandas==2.0.3 +pymupdf==1.24.13 +python_gnupg==0.5.3 +Requests==2.32.3 +semantic_version==2.10.0 +tqdm==4.66.4 +tqdm==4.66.1 diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4f2b98c..57e1f47 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -16,58 +16,6 @@ updates: dependency-type: "all" rebase-strategy: "disabled" - package-ecosystem: "github-actions" - directories: - - "*" - - "**" - schedule: - interval: "daily" - day: "friday" - time: "10:00" - timezone: "Europe/Paris" - allow: - - dependency-name: "*" - dependency-type: "all" - rebase-strategy: "disabled" - - package-ecosystem: "npm" - directories: - - "*" - - "**" - schedule: - interval: "daily" - day: "friday" - time: "10:00" - timezone: "Europe/Paris" - allow: - - dependency-name: "*" - dependency-type: "all" - rebase-strategy: "disabled" - - package-ecosystem: "pip" - directories: - - "*" - - "**" - schedule: - interval: "daily" - day: "friday" - time: "10:00" - timezone: "Europe/Paris" - allow: - - dependency-name: "*" - dependency-type: "all" - rebase-strategy: "disabled" - - package-ecosystem: "terraform" - directories: - - "*" - - "**" - schedule: - interval: "daily" - day: "friday" - time: "10:00" - timezone: "Europe/Paris" - allow: - - dependency-name: "*" - dependency-type: "all" - rebase-strategy: "disabled" - - package-ecosystem: "docker" directories: - "*" - "**" diff --git a/.github/workflows/codeql.yml.dont-use b/.github/workflows/codeql.yml.dont-use new file mode 100644 index 0000000..53846dd --- /dev/null +++ b/.github/workflows/codeql.yml.dont-use @@ -0,0 +1,88 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '22 0 * * 6' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: c-cpp + build-mode: manual + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: 'Setup python' + if: matrix.build-mode == 'manual' && matrix.language == 'c-cpp' + shell: bash + - name: 'Build project' + if: matrix.build-mode == 'manual' && matrix.language == 'c-cpp' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review-alt.yml.dont-use b/.github/workflows/dependency-review-alt.yml.dont-use new file mode 100644 index 0000000..61459d5 --- /dev/null +++ b/.github/workflows/dependency-review-alt.yml.dont-use @@ -0,0 +1,152 @@ + +name: 'Dependency review' +on: + push: + branches: + - "main" + - "**/dev/**" + - "release/**" + pull_request: + branches: + - "main" + - "**/dev/**" + - "release/**" + types: + - opened + - synchronize + - reopened + - ready_for_review + workflow_dispatch: + inputs: + # Associated to `allow-licenses` or `deny-licenses` workflow options + license-selection: + description: 'Select the licenses to deny or allow' + required: true + type: string + default: 'GPL-1.0-or-later, LGPL-2.0-or-later' + # Describes what the previous selection will do + license-action: + description: 'Select the action to take on the selected licenses' + required: true + type: choice + default: deny + options: + - deny + - allow + # Associated to `fail-on-severity` workflow option + severity-selection: + description: 'Select the severity level to fail on' + required: true + type: choice + default: low + options: + - low + - moderate + - high + - critical + # Associated to `warn-only` workflow option + warn-only: + description: 'Only warn about the issues without failing the workflow' + required: true + type: boolean + default: false + # Associated to `fail-on-scopes` workflow option + scopes: + description: 'Select the scopes to run the action on' + required: true + type: choice + options: + - runtime + - development + - unknown + default: runtime + +permissions: + contents: read + # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option + pull-requests: write + +env: + HEAD_REF: ${{ github.event.ref }} + BASE_REF: ${{ (github.event.base_ref != null) && github.event.base_ref || github.event.ref }} + IS_PR: ${{ contains(github.event_name, 'pull_request') }} + IS_PUSH: ${{ contains(github.event_name, 'push') }} + IS_MANUAL: ${{ contains(github.event_name, 'workflow_dispatch') }} + +jobs: + check-must-run: + runs-on: ubuntu-latest + if: ${{ contains(github.event_name, 'pull_request') || contains(github.event_name, 'push') }} + outputs: + must-run: ${{ steps.check-must-run-output-step.outputs.must-run }} + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Set up python' + uses: actions/setup-python@v5 + with: + python-version: '3.13' + cache: 'pip' + - name: 'Install dependencies' + run: 'pip3 install -r ./.github/ci-check-must-run/requirements.txt' + - name: 'Shall we run the workflow ?' + id: check-must-run-output-step + working-directory: './' + run: './scripts/ci-check-must-run.py' + dependency-review-on-pr: + needs: check-must-run + runs-on: ubuntu-latest + if: ${{ contains(github.event_name, 'pull_request') && needs.check-must-run.outputs.must-run == 'true' }} + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + comment-summary-in-pr: always + fail-on-severity: low + deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + dependency-review-on-push: + needs: check-must-run + runs-on: ubuntu-latest + if: ${{ contains(github.event_name, 'push') && needs.check-must-run.outputs.must-run == 'true' }} + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: low + deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later + base-ref: ${{ env.BASE_REF }} + head-ref: ${{ env.HEAD_REF }} + dependency-review-manual-with-allow-licenses: + runs-on: ubuntu-latest + if: ${{ (contains(github.event_name, 'workflow_dispatch') && inputs['license-action'] == 'allow') }} + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: ${{ inputs['severity-selection'] }} + allow-licenses: ${{ inputs['license-selection'] }} + warn-only: ${{ inputs['warn-only'] }} + fail-on-scopes: ${{ inputs['scopes'] }} + base-ref: ${{ env.BASE_REF }} + head-ref: ${{ env.HEAD_REF }} + dependency-review-manual-with-deny-licenses: + runs-on: ubuntu-latest + if: ${{ (contains(github.event_name, 'workflow_dispatch') && inputs['license-action'] == 'deny') }} + steps: + - name: 'Checkout repository' + uses: actions/checkout@v4 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v4 + with: + fail-on-severity: ${{ inputs['severity-selection'] }} + deny-licenses: ${{ inputs['license-selection'] }} + warn-only: ${{ inputs['warn-only'] }} + fail-on-scopes: ${{ inputs['scopes'] }} + base-ref: ${{ env.BASE_REF }} + head-ref: ${{ env.HEAD_REF }} \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 5f42b92..2a391f3 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -2,7 +2,7 @@ name: 'Dependency review' on: push: - branches: + branches: - "main" - "**/dev/**" - "release/**" diff --git a/.gitignore b/.gitignore index 715463a..857fe41 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,5 @@ config-temp/** *.fdb_latexmk *.fls *.out + +!.github/codeql-ci-python-requirements.txt \ No newline at end of file