From fb01e2bed049abb72f974cff1c0eeb344a1ada8a Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Tue, 11 Nov 2025 12:10:26 -0800 Subject: [PATCH 1/3] fix(polaris): Comment out `polaris` until integration can be fixed. --- .github/workflows/starter.yml | 14 +-- CHANGELOG.md | 17 --- README.md | 213 ++++++++++++++++++++-------------- 3 files changed, 132 insertions(+), 112 deletions(-) diff --git a/.github/workflows/starter.yml b/.github/workflows/starter.yml index 5749f49..680eaa3 100644 --- a/.github/workflows/starter.yml +++ b/.github/workflows/starter.yml @@ -156,13 +156,13 @@ jobs: secrets: token: ${{ secrets.token }} - call-polaris-scan-workflow: - if: github.event_name == 'pull_request' && (startsWith(github.base_ref, 'release-') || github.base_ref == 'main') - uses: Keyfactor/actions/.github/workflows/kf-polaris-scan.yml@v4 - with: - scan_branch: ${{ github.event.pull_request.head.ref }} - secrets: - token: ${{ secrets.scan_token }} +# call-polaris-scan-workflow: +# if: github.event_name == 'pull_request' && (startsWith(github.base_ref, 'release-') || github.base_ref == 'main') +# uses: Keyfactor/actions/.github/workflows/kf-polaris-scan.yml@v4 +# with: +# scan_branch: ${{ github.event.pull_request.head.ref }} +# secrets: +# token: ${{ secrets.scan_token }} call-post-release-workflow: needs: [ call-assign-from-json-workflow, call-create-github-release-workflow ] diff --git a/CHANGELOG.md b/CHANGELOG.md index a423232..9240de4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,20 +1,3 @@ -# [3.4.0](https://github.com/Keyfactor/actions/compare/3.3.1...3.4.0) (2025-09-11) - - -### Bug Fixes - -* **starter:** `entra_username` not required ([e8ef978](https://github.com/Keyfactor/actions/commit/e8ef978040b927afe117590e13034ed37c7aa7a4)) -* **starter:** Call out `write` permissions on generate-readme ([578161c](https://github.com/Keyfactor/actions/commit/578161ce9288a0b2047854dd499b96996ee75bb6)) -* **starter:** Remove container and maven workflow refs. ([86dfcf4](https://github.com/Keyfactor/actions/commit/86dfcf41593fbc3562baea46d6590079f328559f)) -* **starter:** Remove unused `APPROVE_README_PUSH` input ([a92ee10](https://github.com/Keyfactor/actions/commit/a92ee10e2cd901ddb6cd32e1b161dbc16d58ed3b)) -* **starter:** Update self refs for generate-readme ([5858ee9](https://github.com/Keyfactor/actions/commit/5858ee9f1653ec153ad3297d21cdc9aa5b4d42e5)) -* **starter:** Update self version references from `v3` to `v4` ([79bd7a4](https://github.com/Keyfactor/actions/commit/79bd7a4ba43e3a8a94552872e51174402c2bd8b2)) - - -### Features - -* **docs:** add screenshot automation workflow inputs ([1b0642e](https://github.com/Keyfactor/actions/commit/1b0642ecfd727714bd3caf34da5ee47c73f4d5a4)) - ## [3.3.1](https://github.com/Keyfactor/actions/compare/3.3.0...3.3.1) (2025-06-23) diff --git a/README.md b/README.md index df8f2ae..1ab7b04 100644 --- a/README.md +++ b/README.md @@ -1,92 +1,98 @@ -### πŸ‘¨πŸΏβ€πŸš€ Actions v4 Workflows +### πŸ‘¨πŸΏβ€πŸš€ Actions v4 Workflows ### What's new in v4 -* The v4 Actions make use of [doctool](https://github.com/Keyfactor/doctool) to take Command screenshots for Universal Orchestrator extension store-type creation. + +* The v4 Actions make use of [doctool](https://github.com/Keyfactor/doctool) to take Command screenshots for Universal + Orchestrator extension store-type creation. ### Usage #### Prerequisites -- Ensure an `integration-manifest.json` file is present in the root of your repository. For the schema, see the v2 [integration-manifest-schema.json](https://keyfactor.github.io/v2/integration-manifest-schema.json) + +- Ensure an `integration-manifest.json` file is present in the root of your repository. For the schema, see the + v2 [integration-manifest-schema.json](https://keyfactor.github.io/v2/integration-manifest-schema.json) #### Example `integration-manifest.json` + ```json { - "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", - "integration_type": "anyca-plugin", - "name": "Example AnyCA REST Gateway Plugin", - "status": "pilot", - "support_level": "kf-supported", - "link_github": true, - "update_catalog": true, - "description": "Example Plugin for the AnyCA REST Gateway framework", - "gateway_framework": "25.0.0", - "release_dir": "example-caplugin\\bin\\Release", - "release_project": "example-caplugin\\example_extension.csproj", - "about": { - "carest": { - "ca_plugin_config": [ - { - "name": "ApiKey", - "description": "The API Key for the The CA API" - }, - { - "name": "Username", - "description": "Username for the CA API service account" - }, - { - "name": "Password", - "description": "Password for the CA API service account" - }, - { - "name": "BaseUrl", - "description": "The Base URL for the CA API" - }, - { - "name": "Enabled", - "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available." - } - ], - "enrollment_config": [ - { - "name": "CertificateValidityInYears", - "description": "Number of years the certificate will be valid for" - }, - { - "name": "Email", - "description": "Email address of the requestor" - }, - { - "name": "OrganizationName", - "description": "Name of the organization to be validated against" - } - ], - "product_ids": [ - "ExampleProductSslOvBasic", - "ExampleProductSslEvBasic", - "ExampleProductSslDvGeotrust", - "ExampleProductSslDvThawte", - "ExampleProductSslOvThawteWebserver", - "ExampleProductSslEvThawteWebserver", - "ExampleProductSslOvGeotrustTruebizid", - "ExampleProductSslEvGeotrustTruebizid", - "ExampleProductSslOvSecuresite", - "ExampleProductSslEvSecuresite", - "ExampleProductSslOvSecuresitePro", - "ExampleProductSslEvSecuresitePro" - ] - } + "$schema": "https://keyfactor.github.io/v2/integration-manifest-schema.json", + "integration_type": "anyca-plugin", + "name": "Example AnyCA REST Gateway Plugin", + "status": "pilot", + "support_level": "kf-supported", + "link_github": true, + "update_catalog": true, + "description": "Example Plugin for the AnyCA REST Gateway framework", + "gateway_framework": "25.0.0", + "release_dir": "example-caplugin\\bin\\Release", + "release_project": "example-caplugin\\example_extension.csproj", + "about": { + "carest": { + "ca_plugin_config": [ + { + "name": "ApiKey", + "description": "The API Key for the The CA API" + }, + { + "name": "Username", + "description": "Username for the CA API service account" + }, + { + "name": "Password", + "description": "Password for the CA API service account" + }, + { + "name": "BaseUrl", + "description": "The Base URL for the CA API" + }, + { + "name": "Enabled", + "description": "Flag to Enable or Disable gateway functionality. Disabling is primarily used to allow creation of the CA prior to configuration information being available." + } + ], + "enrollment_config": [ + { + "name": "CertificateValidityInYears", + "description": "Number of years the certificate will be valid for" + }, + { + "name": "Email", + "description": "Email address of the requestor" + }, + { + "name": "OrganizationName", + "description": "Name of the organization to be validated against" + } + ], + "product_ids": [ + "ExampleProductSslOvBasic", + "ExampleProductSslEvBasic", + "ExampleProductSslDvGeotrust", + "ExampleProductSslDvThawte", + "ExampleProductSslOvThawteWebserver", + "ExampleProductSslEvThawteWebserver", + "ExampleProductSslOvGeotrustTruebizid", + "ExampleProductSslEvGeotrustTruebizid", + "ExampleProductSslOvSecuresite", + "ExampleProductSslEvSecuresite", + "ExampleProductSslOvSecuresitePro", + "ExampleProductSslEvSecuresitePro" + ] } + } } ``` #### Example workflow `keyfactor-bootsrap-workflow.yml` + ```yaml name: Keyfactor Bootstrap Workflow on: workflow_dispatch: pull_request: - types: [opened, closed, synchronize, edited, reopened] + types: [ opened, closed, synchronize, edited, reopened ] push: create: branches: @@ -108,44 +114,75 @@ jobs: entra_password: ${{ secrets.DOCTOOL_ENTRA_PASSWD }} # Only required for doctool generated screenshots command_client_id: ${{ secrets.COMMAND_CLIENT_ID }} # Only required for doctool generated screenshots command_client_secret: ${{ secrets.COMMAND_CLIENT_SECRET }} # Only required for doctool generated screenshots + ``` -### πŸš€The Bootstrap workflow for v4 Actions perform the following steps: +#### Inputs + +| Parameter | Type | Description | Required/Optional | +|-----------------------|--------|----------------------------------------------------------------|--------------------------------| +| command_token_url | Input | URL for command token, used by doctool for screenshots | Optional (doctool screenshots) | +| command_hostname | Input | Hostname for command, used by doctool for screenshots | Optional (doctool screenshots) | +| command_base_api_path | Input | Base API path for command, used by doctool for screenshots | Optional (doctool screenshots) | +| token | Secret | Build token for workflow execution | Required | +| gpg_key | Secret | GPG private key for signing golang builds | Optional (golang builds) | +| gpg_pass | Secret | GPG passphrase for signing golang builds | Optional (golang builds) | +| scan_token | Secret | Token for SAST/Polaris scan | Required | +| entra_username | Secret | Username for doctool Entra authentication (screenshots) | Optional (doctool screenshots) | +| entra_password | Secret | Password for doctool Entra authentication (screenshots) | Optional (doctool screenshots) | +| command_client_id | Secret | Client ID for command API, used by doctool for screenshots | Optional (doctool screenshots) | +| command_client_secret | Secret | Client secret for command API, used by doctool for screenshots | Optional (doctool screenshots) | + +### πŸš€The Bootstrap workflow for v4 Actions perform the following steps: * Checkout integration repository * Call [starter.yml](.github/workflows/starter.yml) workflow * Get values from integration-manifest.json [assign-env-from-json](.github/workflows/assign-env-from-json.yml) * Discover primary programming language from the repository [***action-get-primary-language***] -* Determine event_name: `create, push, pull_request, workflow_dispatch` [github-release.yml](.github/workflows/github-release.yml) -* Run the workflows and conditionalized steps to produce a build. If conditions match, release artifacts are delivered -[dotnet-build-and-release.yml](.github/workflows/dotnet-build-and-release.yml) or [go-build-and-release.yml](.github/workflows/go-build-and-release.yml) -workflow will be run depending on the `detected-primary-language` step in [starter.yml](.github/workflows/starter.yml) +* Determine event_name: + `create, push, pull_request, workflow_dispatch` [github-release.yml](.github/workflows/github-release.yml) +* Run the workflows and conditionalized steps to produce a build. If conditions match, release artifacts are delivered + [dotnet-build-and-release.yml](.github/workflows/dotnet-build-and-release.yml) + or [go-build-and-release.yml](.github/workflows/go-build-and-release.yml) + workflow will be run depending on the `detected-primary-language` step in [starter.yml](.github/workflows/starter.yml) #### On Create: -* Configure repository settings - This will use the properties from the json to update topic and description, and will set the teams permissions on the repo accordingly. If the ref created is a branch that matches "release-\*.\*", branch protection is added, autlink reference set ab# to devops [***kf-configure-repo***] + +* Configure repository settings - This will use the properties from the json to update topic and description, and will + set the teams permissions on the repo accordingly. If the ref created is a branch that matches "release-\*.\*", branch + protection is added, autlink reference set ab# to devops [***kf-configure-repo***] #### On push or workflow_dispatch: + * Just run the build on the branch with the commit without producing release artifacts -* * C#: run the [dotnet-build-and-release.yml](.github/workflows/dotnet-build-and-release.yml) workflow -* * Go builds: run the go-build-and-release.yml workflow (still in progress) -* All languages: -* * Generate/Update `README.md` using `doctool` [generate-readme.yml](.github/workflows/generate-readme.yml) -* * (conditionally) a catalog entry [update-catalog](.github/workflows/update-catalog.yml) will be created/updated if the json manifest has `"update_catalog": true` in the `integration-manifest.json` file +* + * C#: run the [dotnet-build-and-release.yml](.github/workflows/dotnet-build-and-release.yml) workflow +* + * Go builds: run the go-build-and-release.yml workflow (still in progress) +* All languages: +* + * Generate/Update `README.md` using `doctool` [generate-readme.yml](.github/workflows/generate-readme.yml) +* + * (conditionally) a catalog entry [update-catalog](.github/workflows/update-catalog.yml) will be created/updated if + the json manifest has `"update_catalog": true` in the `integration-manifest.json` file #### On pull_request[opened, closed, synchronize, edited, reopened]: -[dotnet-build-and-release.yml](.github/workflows/dotnet-build-and-release.yml) workflow or [go-build-and-release.yml](.github/workflows/go-build-and-release.yml) workflow will be run depending on the detected primary language -* If the pr destination is a `release-*.*` branch, set flags to produce release artifacts -* If the pr is determined to be `open` or `merged` but not `closed` (synchronize), a prerelease artifact will be uploaded -* If the pr is determined to be `merged` and `closed`, a final "official" release is built and published to GitHub releases, and if `"update_catalog": true` is set in the json manifest, a catalog entry will be created/updated -* Polaris SAST/SCAN scans run when push to `release-*` or main occurs -* If PR to release branch is `merged/closed`, a new PR will be automatically generated. This will need to be approved manually and **should not** be approved for hotfix branches - - +[dotnet-build-and-release.yml](.github/workflows/dotnet-build-and-release.yml) workflow +or [go-build-and-release.yml](.github/workflows/go-build-and-release.yml) workflow will be run depending on the detected +primary language +* If the pr destination is a `release-*.*` branch, set flags to produce release artifacts +* If the pr is determined to be `open` or `merged` but not `closed` (synchronize), a prerelease artifact will be + uploaded +* If the pr is determined to be `merged` and `closed`, a final "official" release is built and published to GitHub + releases, and if `"update_catalog": true` is set in the json manifest, a catalog entry will be created/updated +* Polaris SAST/SCAN scans run when push to `release-*` or main occurs +* If PR to release branch is `merged/closed`, a new PR will be automatically generated. This will need to be approved + manually and **should not** be approved for hotfix branches +### πŸ“Todo: -### πŸ“Todo: * Remove default admin user when applying branch protection * Add overrides for detected language, readme build(?), etc. into json manifest * Set repo license From ec9f4914d6f93cd5ee1ac921addbfd01aa4416f0 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Tue, 11 Nov 2025 12:10:58 -0800 Subject: [PATCH 2/3] fix(polaris): Allow failure --- .github/workflows/kf-polaris-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/kf-polaris-scan.yml b/.github/workflows/kf-polaris-scan.yml index 075f469..6197546 100644 --- a/.github/workflows/kf-polaris-scan.yml +++ b/.github/workflows/kf-polaris-scan.yml @@ -19,6 +19,7 @@ on: jobs: build: runs-on: [ ubuntu-latest ] + continue-on-error: true steps: - name: Checkout Source uses: actions/checkout@v4 From 025d3849fe43b34a0ecab41dcc6b773a76a2cc05 Mon Sep 17 00:00:00 2001 From: spbsoluble <1661003+spbsoluble@users.noreply.github.com> Date: Tue, 11 Nov 2025 12:14:16 -0800 Subject: [PATCH 3/3] chore(docs): add missing changelog entry for `v3.4.0` --- CHANGELOG.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9240de4..a423232 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,20 @@ +# [3.4.0](https://github.com/Keyfactor/actions/compare/3.3.1...3.4.0) (2025-09-11) + + +### Bug Fixes + +* **starter:** `entra_username` not required ([e8ef978](https://github.com/Keyfactor/actions/commit/e8ef978040b927afe117590e13034ed37c7aa7a4)) +* **starter:** Call out `write` permissions on generate-readme ([578161c](https://github.com/Keyfactor/actions/commit/578161ce9288a0b2047854dd499b96996ee75bb6)) +* **starter:** Remove container and maven workflow refs. ([86dfcf4](https://github.com/Keyfactor/actions/commit/86dfcf41593fbc3562baea46d6590079f328559f)) +* **starter:** Remove unused `APPROVE_README_PUSH` input ([a92ee10](https://github.com/Keyfactor/actions/commit/a92ee10e2cd901ddb6cd32e1b161dbc16d58ed3b)) +* **starter:** Update self refs for generate-readme ([5858ee9](https://github.com/Keyfactor/actions/commit/5858ee9f1653ec153ad3297d21cdc9aa5b4d42e5)) +* **starter:** Update self version references from `v3` to `v4` ([79bd7a4](https://github.com/Keyfactor/actions/commit/79bd7a4ba43e3a8a94552872e51174402c2bd8b2)) + + +### Features + +* **docs:** add screenshot automation workflow inputs ([1b0642e](https://github.com/Keyfactor/actions/commit/1b0642ecfd727714bd3caf34da5ee47c73f4d5a4)) + ## [3.3.1](https://github.com/Keyfactor/actions/compare/3.3.0...3.3.1) (2025-06-23)