bitwarden_workflow_linter 0.8.0__tar.gz → 0.8.1__tar.gz

{bitwarden_workflow_linter-0.8.0 → bitwarden_workflow_linter-0.8.1}/.github/workflows/bwwl_operations.yml

@@ -12,7 +12,7 @@ on:
         required: false
         type: string
   schedule:
-  - cron: '0 0 1 * *'
+  - cron: '0 0 * * 1'
 
 jobs:
   actions-operation:
@@ -63,23 +63,21 @@ jobs:
         run: python -m pip install --upgrade bitwarden_workflow_linter
 
       - name: Create Branch
-        if: ${{ github.events_name == 'schedule' }} || ${{ inputs.operation == 'update' }}
-        id: create-branch
+        if: ${{ github.events_name == 'schedule' || inputs.operation == 'update' }}
         run: |
           NAME="update-actions-$(date +'%Y%m%d-%H%M%S')"
           git switch -c $NAME
-          echo "name=$NAME" >> $GITHUB_OUTPUT
+          echo "BRANCH_NAME=$NAME" >> $GITHUB_ENV
 
       - name: Create Branch
         if: ${{ inputs.operation == 'add' }}
-        id: create-branch
         run: |
-          NAME= "add-action-$_ACTION"
+          NAME="add-action-$_ACTION"
           git switch -c $NAME
-          echo "name=$NAME" >> $GITHUB_OUTPUT
+          echo "BRANCH_NAME=$NAME" >> $GITHUB_ENV
 
       - name: Run bwwl update
-        if: ${{ github.events_name == 'schedule' }} || ${{ inputs.operation == 'update' }}
+        if: ${{ github.events_name == 'schedule' || inputs.operation == 'update' }}
         run: bwwl actions update -o src/bitwarden_workflow_linter/default_actions.json
 
       - name: Run bwwl add
@@ -93,37 +91,33 @@ jobs:
             echo "new_changes=TRUE" >> $GITHUB_OUTPUT
           else
             echo "new_changes=FALSE" >> $GITHUB_OUTPUT
-            echo "No changes to commit!";
+            echo "No changes to commit!"
           fi
 
       - name: Commit changes
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}
-        env:
-          _PR_BRANCH: ${{ steps.create-branch.outputs.name }}
         run: |
           git commit -m "Update approved actions" -a
-          git push origin "$_PR_BRANCH"
+          git push origin "${{ env.BRANCH_NAME }}"
 
       - name: Generate GH App token
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}
         uses: actions/create-github-app-token@67e27a7eb7db372a1c61a7f9bdab8699e9ee57f7 # v1.11.3
         id: app-token
         with:
-          app-id: ${{ secrets.GH_APP_ID }}
-          private-key: ${{ secrets.GH_APP_KEY }}
-          owner: ${{ github.repository_owner }}
+          app-id: ${{ secrets.BW_GHAPP_ID }}
+          private-key: ${{ secrets.BW_GHAPP_KEY }}
 
       - name: Create PR
         if: ${{ steps.new-changes.outputs.new_changes == 'TRUE' }}
         id: create-pr
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
-          _PR_BRANCH: ${{ steps.create-branch.outputs.name }}
-          _TITLE: "Update/Add bwwl approved actions"
+          TITLE: "Update/Add bwwl approved actions"
         run: |
-          PR_URL=$(gh pr create --title "$_TITLE" \
+          PR_URL=$(gh pr create --title "$TITLE" \
             --base "main" \
-            --head "$_PR_BRANCH" \
+            --head "${{ env.BRANCH_NAME }}" \
             --label "version:patch" \
             --label "automated pr" \
             --body "

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/ci.yaml

@@ -0,0 +1,52 @@
+# Workflow templates are based on starter workflows provided by github at
+# https://github.com/actions/starter-workflows/tree/main and customized to
+# represent common practices used on Bitwarden repositories.
+
+name: CI
+
+on:
+  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+  pull_request:  # When a pull request event occurs
+
+permissions:  # Sets permissions of the GITHUB_TOKEN
+  checks: write  # Permits an action to create a check run
+  contents: read  # For actions to fetch code and list commits
+  id-token: write  # Required to fetch an OpenID Connect (OIDC) token
+  pull-requests: write  # Permits an action to add a label to a pull request
+
+jobs:
+  version:
+    name: Calculate version
+    uses: ./.github/workflows/examples/example-references/_version.yml  # Path to an existing github action
+
+  test:
+    name: Run test
+    uses: ./.github/workflows/examples/example-references/_test.yml
+    with:  # Parameters specific to this action that need to be defined in order for the step to be completed
+      project-name: Billing.Test
+      project-path: ./test/Billing.Test
+
+  build:
+    name: Run build
+    needs:  # This job will not run until test and version jobs are complete
+      - test
+      - version
+    uses: ./.github/workflows/examples/example-references/_build.yml
+    with:
+      project-name: Billing
+      project-path: ./src/Billing
+      version: ${{ needs.version.outputs.version }}
+
+  build-push-docker:
+    name: Build Docker image
+    needs:
+      - test
+      - version
+      - build
+    uses: ./.github/workflows/examples/example-references/_docker.yml
+    with:
+      project-name: Billing
+      project-path: ./src/Billing
+      version: ${{ needs.version.outputs.version }}
+      image-name: billing-relay
+      push-docker-image: false

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/example-references/_build.yml

@@ -0,0 +1,64 @@
+name: _build
+run-name: Build ${{ inputs.project-name }}
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+      version:
+        type: string
+        required: true
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+
+      - name: Cache NuGet packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Install dependencies
+        run: dotnet restore ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Build
+        run: dotnet build --verbosity minimal ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Publish
+        run: |
+          echo "Publish"
+          dotnet publish ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj \
+            -c Release --no-restore \
+            -o ./tmp/publish-${{ inputs.project-name }} -p:Version=${{ inputs.version }}
+
+      - name: Create artifact
+        run: |
+          cd ./tmp/publish-${{ inputs.project-name }}
+          zip -r ${{ inputs.project-name }}.zip .
+          mv ${{ inputs.project-name }}.zip ../../
+          pwd
+          ls -atlh ../../
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: ${{ inputs.project-name }}.zip
+          path: ./${{ inputs.project-name }}.zip
+          if-no-files-found: error

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/example-references/_docker.yml

@@ -0,0 +1,83 @@
+name: _docker
+run-name: "Build ${{ inputs.project-name }} docker image and push ${{ inputs.push-docker-image }} to ACR"
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+      version:
+        type: string
+        required: false
+      push-docker-image:
+        type: boolean
+        required: false
+        default: false
+      image-name:
+        type: string
+        required: true
+
+jobs:
+  docker:
+    name: Docker
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Log in to Azure
+        if: ${{ inputs.push-docker-image }}
+        uses: Azure/login@a65d910e8af852a8061c627c456678983e180302 # v1.6.1
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Log in to ACR
+        if: ${{ inputs.push-docker-image }}
+        run: az acr login -n bitwardenprod
+
+      - name: Generate Docker image tag
+        id: tag
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          IMAGE_TAG=$VERSION
+          # IMAGE_TAG=$(echo "${GITHUB_REF#refs/heads/}" | sed "s#/#-#g")  # slash safe branch name
+          # if [[ "$IMAGE_TAG" == "main" ]]; then
+          #   IMAGE_TAG=$VERSION
+          # fi
+          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+
+      - name: Generate tag list
+        id: tag-list
+        env:
+          IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+          IMAGE_NAME: ${{ inputs.image-name }}
+        run: echo "tags=bitwardenprod.azurecr.io/${IMAGE_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Get build artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: ${{ inputs.project-name }}.zip
+
+      - name: Set up build artifact
+        run: |
+          mkdir -p ${{ inputs.project-path }}/obj/build-output/publish
+          unzip ${{ inputs.project-name }}.zip \
+            -d ${{ inputs.project-path }}/obj/build-output/publish
+
+      - name: Build Docker image
+        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
+        with:
+          context: ${{ inputs.project-path }}
+          file: ${{ inputs.project-path }}/Dockerfile
+          platforms: linux/amd64
+          push: ${{ inputs.push-docker-image }}
+          tags: ${{ steps.tag-list.outputs.tags }}
+        env:
+          DOCKER_BUILD_RECORD_UPLOAD: false

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/example-references/_test.yml

@@ -0,0 +1,75 @@
+name: _test
+run-name: Test ${{ inputs.project-name }}
+
+on:
+  workflow_call:
+    inputs:
+      project-name:
+        type: string
+        required: true
+      project-path:
+        type: string
+        required: true
+
+jobs:
+  check-test-secrets:
+    name: Check for test secrets
+    runs-on: ubuntu-22.04
+    outputs:
+      available: ${{ steps.check-test-secrets.outputs.available }}
+    permissions:
+      contents: read
+
+    steps:
+      - name: Check
+        id: check-test-secrets
+        run: |
+          if [ "${{ secrets.CODECOV_TOKEN }}" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT;
+          else
+            echo "available=false" >> $GITHUB_OUTPUT;
+          fi
+
+  testing:
+    name: Test
+    runs-on: ubuntu-22.04
+    needs: check-test-secrets
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25 # v4.1.0
+
+      - name: Cache NuGet packages
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
+        with:
+          path: ~/.nuget/packages
+          key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-nuget-
+
+      - name: Install dependencies
+        run: dotnet restore --locked-mode ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Build
+        run: dotnet build --verbosity minimal ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj
+
+      - name: Test
+        run: dotnet test ${{ inputs.project-path }}/${{ inputs.project-name }}.csproj --no-build --logger "trx;LogFileName=mothership-test-results.trx"
+
+      - name: Report test results
+        uses: dorny/test-reporter@31a54ee7ebcacc03a09ea97a7e5465a47b84aea5 # v1.9.1
+        if: ${{ needs.check-test-secrets.outputs.available == 'true' && !cancelled() }}
+        with:
+          name: Test Results
+          path: "**/*-test-results.trx"
+          reporter: dotnet-trx
+          fail-on-error: true

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/example-references/_version.yml

@@ -0,0 +1,68 @@
+name: _version
+run-name: Calculate version
+
+on:
+  workflow_call:
+    inputs:
+      is-release:
+        type: boolean
+        default: false
+    outputs:
+      version:
+        description: "version to be built"
+        value: ${{ jobs.version.outputs.version }}
+
+jobs:
+  version:
+    name: Calculate version
+    runs-on: ubuntu-22.04
+    outputs:
+      version: ${{ steps.version.outputs.value }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+
+      - name: Generate version
+        id: version
+        run: |
+          ls -la
+          git fetch --prune --tags
+
+          echo "Calculating next version..."
+
+          base_version=$(cat Directory.build.props |
+            grep -o "<BaseVersion>.*</BaseVersion>" |
+            grep -Eo "[0-9]+\.[0-9]+"
+          )
+          major_version=$(echo $base_version | grep -Eo "[0-9]+" | head -1)
+          minor_version=$(echo $base_version | grep -Eo "[0-9]+" | sed -n 2p)
+
+          latest_tag_version=$(git tag --sort=committerdate --list | tail -1)
+          echo "  latest_tag_version: $latest_tag_version"
+
+          major_latest_tag_version=$(echo $latest_tag_version | grep -Eo "[0-9]+" | head -1)
+          echo "  major_latest_tag_version: $major_latest_tag_version"
+
+          minor_latest_tag_version=$(echo $latest_tag_version | grep -Eo "[0-9]+" | sed -n 2p)
+          echo "  minor_latest_tag_version: $minor_latest_tag_version"
+
+          if [[ "$major_latest_tag_version" != "$major_version" ]] || \
+          [[ "$minor_latest_tag_version" != "$minor_version" ]]; then
+            patch_version="0"
+          else
+            patch_version=$((${latest_tag_version##*.} + 1))
+          fi
+
+          echo "  patch_version: $patch_version"
+
+          version_suffix=$patch_version
+
+          if [[ "${{ inputs.is-release }}" == "false" ]]; then
+            version_suffix=$version_suffix-${GITHUB_SHA:0:7}
+          fi
+
+          echo "  version: $base_version.$version_suffix"
+          echo "value=$base_version.$version_suffix" >> $GITHUB_OUTPUT
+          echo "Done"

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/example.yaml

@@ -0,0 +1,100 @@
+# Workflow templates are based on starter workflows provided by github at
+# https://github.com/actions/starter-workflows/tree/main and customized to
+# represent common practices used on ACME repositories.
+
+# This imaginary workflow runs two steps and illustrates a number of options that we use throughout workflows in the Bitwarden repositories
+
+name: Build
+
+on:  # Describes when to run the workflow
+  # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
+
+  workflow_dispatch:  # When triggered manually
+
+  push:  # On push to the following branches. Temporarily add a development branch to prompt workflow runs for troubleshooting
+    branches: ["main", "rc", "hotfix-rc"]
+    paths-ignore:  # Updates to these directories or files will not trigger a workflow run
+      - ".github/workflows/**"
+
+  # Pull_request_target:  #We strongly discourage using this unless absolutely necessary as it requires access to certain Github secrets.
+  # If using this, include the .github/workflows/check-run.yml job and target only the main branch
+  # More info at https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks
+
+  pull_request:  # When a pull request event occurs
+    types: [opened, synchronize, unlabeled, labeled, unlabeled, reopened, edited]
+    branches: ["main"]  # Branches where a pull request will trigger the workflow
+
+
+  release:  # Runs your workflow when release activity in your repository occurs
+    types: [published, created]
+
+  merge_group:  # Runs required status checks on merge groups created by merge queue
+    types: [checks_requested]
+
+  repository_dispatch:  # Runs when a webook event triggers a workflow from outside of github
+    types: [contentful-publish]  # Optional, limit repository dispatch events to those in a specified list
+
+  workflow_call:  # Workflow can be called by another workflow
+
+env:  # Environment variables set for this step but not accessible by all workflows, steps or jobs.
+  _AZ_REGISTRY: "ACMEprod.azurecr.io"
+  INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+
+jobs:  # A workflow run is made up of one or more jobs that can run sequentially or in parallel
+  first-job:
+    name: First Job Name
+    uses: ./.github/workflows/examples/example-references/_version.yml  # Path to an existing github action
+    if: github.event.pull_request.draft == false  # prevent part of a job from running on a draft PR
+    secrets: inherit  # When called by another workflow, pass all the calling workflow's secrets to the called workflow
+    # "secrets" is only available for a reusable workflow call with "uses"
+    strategy:  # Create multiple job runs for each of a set of variables
+      fail-fast: false  # If true, cancel entire run if any job in the matrix fails
+      matrix:  # Matrix of variables used to define multiple job runs
+        include:
+          - project_name: Admin
+            base_path: ./src
+            node: true  # Enables steps with if: ${{ matrix.node }}
+
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+    permissions:  # Sets permissions of the GITHUB_TOKEN
+      security-events: write  # Allow actions to upload results to Github
+      id-token: write  # Required to fetch an OpenID Connect (OIDC) token
+      contents: read  # For actions/checkout to fetch code
+      deployments: write  # Permits an action to create a new deployment
+      issues: write  # Permits an action to create a new issue
+      checks: write  # Permits an action to create a check run
+      actions: write  # Permits an action to cancel a workflow run
+      packages: read  # Permits an action to access packages on GitHub Packages
+      pull-requests: write  # Permits an action to add a label to a pull request
+
+  # steps: when a reusable workflow is called with "uses", "steps" is not available
+  second-job:
+    name: Second Job Name
+    runs-on: ubuntu-22.04  # The type of runner that the job will run on, not available if "uses" is used
+    defaults:
+      run:  # Set the default shell and working directory
+        shell: bash
+        working-directory: "home/WorkingDirectory"
+
+    needs:
+      - first-job  # This job will wait until first-job completes
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
+    steps:
+      - name: Descriptive step name
+        # NOT RECOMMENDED if: always()  # run even if previous steps failed or the workflow is canceled, this can cause a workflow run to hang indefinitely
+        if: failure()  # run when any previous step of a job fails
+        # if: '!cancelled()'  # run even if previous steps failed
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2 Always pin a public action version to a full git SHA, followed by the version number in a comment.  Version pins are insecure and can introduce vulnerabilities into workflows.
+        with:  # Parameters specific to this action that need to be defined in order for the step to be completed
+          fetch-depth: 0  # Full git history for actions that rely on whether a change has occurred
+          ref: ${{ github.event.pull_request.head.sha }}
+          creds: ${{ secrets.SECRETS_OR_CREDENTIALS }}
+      - name: Another descriptive step name
+        # Run a script instead of an existing github action
+        run: |
+          whoami
+          dotnet --info
+          node --version
+          npm --version
+          echo "GitHub ref: $GITHUB_REF"
+          echo "GitHub event: $GITHUB_EVENT"

bitwarden_workflow_linter-0.8.1/.github/workflows/examples/scan.yaml

@@ -0,0 +1,126 @@
+# Workflow templates are based on starter workflows provided by github at
+# https://github.com/actions/starter-workflows/tree/main and customized to
+# represent common practices used on Bitwarden repositories.
+
+# The Scan Workflow enables you to trigger SAST and quality scans directly
+# From the GitHub workflow.
+
+name: Scan
+
+on:
+  # Controls when the workflow will run
+
+  # Can use other triggers such as multiple events, activity types and fiters:
+  # https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#on
+  workflow_dispatch:  # When triggered manually
+
+  push:
+    # On push to the following branches.  Temporarily add a development
+    # branch to prompt workflow runs for troubleshooting
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request_target:
+    # When a pull request event occurs. Default is opened or reopened unless
+    # otherwise specified, as below:
+    types: [opened, synchronize]  # Options include labeled, unlabeled, reopened
+    branches: 'main'
+
+# A workflow run is made up of one or more jobs that can run sequentially or in
+# parallel
+jobs:
+  # This workflow contains the jobs "check-run", "sast", and "quality"
+  # This job is relatively simple and just imports a previously written action
+  # to be used in this workflow
+  check-run:  # You set this value with the name of the job you're describing
+    name: Check PR run  # Human readable descriptor
+    # location and branch of bitwarden-owned action being used
+    uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main
+
+  sast:
+    # A more complex job that has multiple actions as steps described below
+    name: SAST scan
+    runs-on: ubuntu-22.04  # The type of runner that the job will run on
+    needs: check-run  # This job will wait until check-run completes
+    permissions:  # Sets permissions of the GITHUB_TOKEN
+      contents: read  # For actions/checkout to fetch code
+      pull-requests: write  # For github actions to upload feedback to PR
+      # For github/codeql-action/upload-sarif to upload SARIF results
+      security-events: write
+
+    # Steps represent a sequence of tasks executed as part of the job
+    steps:
+      - name: Check out repo
+        # Always pin a public action version to a full git SHA.
+        # Version pins are insecure and can introduce vulnerabilities
+        # into workflows.
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+        with:
+          # Parameters specific to this action that need to be defined
+          # in order for the step to be completed
+          ref: ${{  github.event.pull_request.head.sha }}
+
+      - name: Scan with Checkmarx
+        if: github.event.pull_request.draft == false  # Prevent step from running on draft PR
+        uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81  # 2.0.36
+        # Environment variables set for this step but not accessible by all
+        # workflows, steps or jobs
+        env:
+          INCREMENTAL: "${{ contains(github.event_name, 'pull_request') \
+          && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: |
+            --report-format sarif \
+            --filter \
+            "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT"\
+            --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd  # v3.27.0
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+    needs: check-run
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      # Set up whatever resources your environment will need
+      # to run workflows on your code
+      - name: Set up JDK 17
+        uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b  # v4.5.0
+        with:
+          java-version: 17
+          distribution: "zulu"
+      # This step checks out a copy of your repository
+      - name: Set up .NET
+        uses: actions/setup-dotnet@3e891b0cb619bf60e2c25674b222b8940e2c1c25  # v4.1.0
+      # Install a tool without a Github Action
+      - name: Install SonarCloud scanner
+        run: dotnet tool install dotnet-sonarscanner -g
+
+      - name: Scan with SonarCloud
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        # Additional scripts to run outside of a Github Action
+        run: |
+          dotnet-sonarscanner begin /k:" \
+          ${{ github.repository_owner }}_${{ github.event.repository.name }}" \
+          /d:sonar.test.inclusions=test/,bitwarden_license/test/ \
+          /d:sonar.exclusions=test/,bitwarden_license/test/ \
+          /o:"${{ github.repository_owner }}" \
+          /d:sonar.token="${{ secrets.SONAR_TOKEN }}" \
+          /d:sonar.host.url="https://sonarcloud.io"
+          dotnet build
+          dotnet-sonarscanner end /d:sonar.token="${{ secrets.SONAR_TOKEN }}"

bitwarden_workflow_linter-0.8.1/.github/workflows/lint-examples.yml

@@ -0,0 +1,37 @@
+name: Lint Example Workflows
+
+on:
+  pull_request:
+    branches:
+      - "main"
+  merge_group:
+    types: [checks_requested]
+  workflow_call:
+  workflow_dispatch:  
+
+jobs:
+  test-lint-workflow:
+    name: Test Lint Workflow
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout Branch
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Get workflow list
+        id: workflow-list
+        run: |
+          WORKFLOW_LIST=$(find .github/workflows/examples -maxdepth 1 -type f | xargs -I {} echo -n "{} ")
+          echo "workflow-list=$WORKFLOW_LIST" >> $GITHUB_OUTPUT
+
+      - name: Lint examples
+        id: lint-examples
+        uses: bitwarden/gh-actions/lint-workflow@main
+        with:
+          workflows: ${{ steps.workflow-list.outputs.workflow-list }}
+
+      - name: Failure message
+        if: ${{ failure() && steps.lint-examples.conclusion == 'failure' }}
+        run: |
+          echo "Changes to the workflow linter should include updating workflow \
+          examples in .github/workflows/examples directory"
+          exit 1

{bitwarden_workflow_linter-0.8.0 → bitwarden_workflow_linter-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: bitwarden_workflow_linter
-Version: 0.8.0
+Version: 0.8.1
 Summary: Custom GitHub Action Workflow Linter
 Project-URL: Homepage, https://github.com/bitwarden/workflow-linter
 Project-URL: Issues, https://github.com/bitwarden/workflow-linter/issues
@@ -190,6 +190,8 @@ two empty lines between each job)
 To activate a rule after implementing it, add it to `settings.yaml` in the project's base folder
 and `src/bitwarden_workflow_linter/default_settings.yaml` to make the rule default
 
+Before creating a new rule please read the [Workflow linter rule rollout process](./RULE_ROLLOUT.md) document in which you'll find the process for rolling out new workflow linter rules.
+
 ### To-Do
 
 -   [ ] Add Rule to assert correct format for single line run

{bitwarden_workflow_linter-0.8.0 → bitwarden_workflow_linter-0.8.1}/README.md

@@ -164,6 +164,8 @@ two empty lines between each job)
 To activate a rule after implementing it, add it to `settings.yaml` in the project's base folder
 and `src/bitwarden_workflow_linter/default_settings.yaml` to make the rule default
 
+Before creating a new rule please read the [Workflow linter rule rollout process](./RULE_ROLLOUT.md) document in which you'll find the process for rolling out new workflow linter rules.
+
 ### To-Do
 
 -   [ ] Add Rule to assert correct format for single line run

bitwarden_workflow_linter-0.8.1/RULE_ROLLOUT.md

@@ -0,0 +1,43 @@
+# Workflow linter rule rollout process
+
+This document outlines the process for rolling out new workflow linter rules.
+
+## Problem Statement
+
+Releasing new rules in the workflow linter can cause friction by breaking existing workflows. The structured rollout process in this document aims to minimize disruptions and ensure teams have time to adjust before enforcing the new rule.
+
+## Rollout process
+
+### Stage 1: Warning level
+
+Introduce a new rule as a warning level.
+
+During this phase, the rule is introduced without enforcing failures, allowing teams to identify necessary changes without immediate disruption.
+
+A minor version bump of the linter is made to reflect the new functionality by adding the `version:minor` label to the PR that introduces a new rule.
+
+### Stage 2: Announcement
+
+Announce the new rule with its grace period to the engineering organization.
+
+An announcement is made to the `#team-eng` Slack channel and other relevant teams. This announcement includes a description of the rule, its rationale, its expected impact on existing workflows, and the deadline for when it will be enforced as an error.
+
+The grace period should last until the end of the next sprint for the teams to be able to plan the time to comply with the new rule in all the workflows that the team owns.
+
+### Stage 3: Workflow updates
+
+During the grace period, teams need to adapt and update their workflows to the new linter rule standards, which means eliminating any warnings.
+
+Also, the BRE team ensures that all BRE-owned workflows, such as release and deployment pipelines, are updated to comply with the new rule before it is enforced.
+
+
+> In the future, we may add more developed systems for tracking compliance and sending periodic reminders on Slack before enforcement. BRE will be evaluating the need for such features as we roll out this process.
+
+### Stage 4: Error level
+
+Change the rule to the ERROR level.
+
+At the end of the grace period, the new rule is transitioned to an error-level one by creating a PR in the workflow linter repository.
+
+A major version bump should be released by adding the `version:major` label to the PR. Raising the rule to the error level is a breaking change that requires teams to comply with it to avoid workflow linter check failures.
+An announcement is made to the `#team-eng` Slack channel as a follow-up on the same thread where the original announcement was made, with the `Also sent to #team-eng channel` checkbox checked, that the level was changed to an error level.

{bitwarden_workflow_linter-0.8.0 → bitwarden_workflow_linter-0.8.1}/src/bitwarden_workflow_linter/__about__.py

@@ -1,3 +1,3 @@
 """Metadata for Workflow Linter."""
 
-__version__ = "0.8.0"
+__version__ = "0.8.1"