From 9c6511bf3622774df24f24d78f4a57379a64394e Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 10:40:30 +0100 Subject: [PATCH 1/7] security write permission - in hope this fixes the dependabot issues --- .github/workflows/test.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 96aaf53a1..e15313549 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -168,6 +168,8 @@ jobs: name: Unit tests - backend runs-on: ubuntu-latest needs: [build_test_neo4j,build_test_backend] + permissions: + security-events: write steps: ########################################################################## # CHECKOUT CODE ########################################################## @@ -225,6 +227,8 @@ jobs: name: Unit tests - webapp runs-on: ubuntu-latest needs: [build_test_webapp] + permissions: + security-events: write steps: ########################################################################## # CHECKOUT CODE ########################################################## From 3ce739f68fe7df1d34fb2442de4f53cbdc415e2e Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 10:48:16 +0100 Subject: [PATCH 2/7] dependabot schedule & remove ignores --- .github/dependabot.yml | 198 +++++++++-------------------------------- 1 file changed, 42 insertions(+), 156 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c5433c921..585710358 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -3,177 +3,63 @@ updates: - package-ecosystem: npm directory: "/" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 - ignore: - - dependency-name: cypress - versions: - - 6.3.0 - - 6.4.0 - - 6.5.0 - - 6.6.0 - - 6.7.1 - - 6.8.0 - - 7.0.0 - - 7.0.1 - - 7.1.0 - - dependency-name: cypress-cucumber-preprocessor - versions: - - 4.0.0 - - 4.0.1 - - 4.0.3 - - dependency-name: date-fns - versions: - - 2.16.1 - - 2.17.0 - - 2.18.0 - - 2.19.0 - - 2.20.0 - - 2.20.1 - - 2.20.2 - - 2.20.3 - - 2.21.0 - - dependency-name: cypress-file-upload - versions: - - 5.0.2 - - 5.0.3 - - 5.0.4 - - 5.0.5 - - dependency-name: neo4j-driver - versions: - - 4.2.2 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: - package-ecosystem: npm directory: "/backend" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 - ignore: - - dependency-name: y18n - versions: - - 4.0.1 - - 4.0.2 - - dependency-name: metascraper-publisher - versions: - - 5.16.16 - - 5.18.1 - - 5.18.12 - - 5.18.2 - - 5.18.4 - - 5.18.5 - - 5.18.6 - - 5.18.9 - - 5.20.0 - - 5.21.0 - - 5.21.2 - - 5.21.3 - - 5.21.4 - - 5.21.5 - - dependency-name: metascraper-author - versions: - - 5.16.16 - - 5.18.1 - - 5.18.12 - - 5.18.2 - - 5.18.4 - - 5.18.5 - - 5.18.6 - - 5.18.9 - - 5.20.0 - - 5.21.0 - - 5.21.2 - - 5.21.3 - - 5.21.4 - - 5.21.5 - - dependency-name: neo4j-driver - versions: - - 4.2.2 - - dependency-name: neo4j-graphql-js - versions: - - 2.19.1 - - dependency-name: mustache - versions: - - 4.1.0 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: - package-ecosystem: npm directory: "/webapp" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 - ignore: - - dependency-name: nuxt - versions: - - 2.14.12 - - 2.15.0 - - 2.15.1 - - 2.15.2 - - 2.15.3 - - dependency-name: v-tooltip - versions: - - 2.1.2 - - dependency-name: "@vue/server-test-utils" - versions: - - 1.1.2 - - 1.1.3 - - dependency-name: node-notifier - versions: - - 8.0.1 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: - package-ecosystem: docker directory: "/webapp" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 - ignore: - - dependency-name: node - versions: - - ">= 15.5.a, < 15.6" - - dependency-name: node - versions: - - 15.10.0.pre.alpine3.10 - - 15.11.0.pre.alpine3.10 - - 15.12.0.pre.alpine3.10 - - 15.13.0.pre.alpine3.10 - - 15.7.0.pre.alpine3.10 - - 15.8.0.pre.alpine3.10 - - 15.9.0.pre.alpine3.10 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: - package-ecosystem: docker directory: "/backend" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 - ignore: - - dependency-name: node - versions: - - ">= 15.4.a, < 15.5" - - dependency-name: node - versions: - - ">= 15.5.a, < 15.6" - - dependency-name: node - versions: - - 15.10.0.pre.alpine3.10 - - 15.11.0.pre.alpine3.10 - - 15.12.0.pre.alpine3.10 - - 15.13.0.pre.alpine3.10 - - 15.7.0.pre.alpine3.10 - - 15.8.0.pre.alpine3.10 - - 15.9.0.pre.alpine3.10 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: - package-ecosystem: docker directory: "/neo4j" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 - ignore: - - dependency-name: neo4j - versions: - - 4.2.3 - - 4.2.4 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: - package-ecosystem: docker directory: "/deployment/legacy-migration/maintenance-worker" schedule: - interval: daily - time: "04:00" - open-pull-requests-limit: 10 + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" + # open-pull-requests-limit: 10 + # ignore: From 9a0b9a34c3ca117493bdc7b8bf63dc682430df19 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 11:33:29 +0100 Subject: [PATCH 3/7] fix dependabot configuration --- .github/dependabot.yml | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 585710358..085fedb18 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,6 @@ version: 2 updates: -- package-ecosystem: npm +- package-ecosystem: "github-actions" directory: "/" schedule: interval: weekly @@ -9,6 +9,14 @@ updates: time: "03:00" # open-pull-requests-limit: 10 # ignore: + +- package-ecosystem: npm + directory: "/" + schedule: + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" - package-ecosystem: npm directory: "/backend" schedule: @@ -16,8 +24,6 @@ updates: day: "saturday" timezone: "Europe/Berlin" time: "03:00" - # open-pull-requests-limit: 10 - # ignore: - package-ecosystem: npm directory: "/webapp" schedule: @@ -25,17 +31,7 @@ updates: day: "saturday" timezone: "Europe/Berlin" time: "03:00" - # open-pull-requests-limit: 10 - # ignore: -- package-ecosystem: docker - directory: "/webapp" - schedule: - interval: weekly - day: "saturday" - timezone: "Europe/Berlin" - time: "03:00" - # open-pull-requests-limit: 10 - # ignore: + - package-ecosystem: docker directory: "/backend" schedule: @@ -43,8 +39,13 @@ updates: day: "saturday" timezone: "Europe/Berlin" time: "03:00" - # open-pull-requests-limit: 10 - # ignore: +- package-ecosystem: docker + directory: "/webapp" + schedule: + interval: weekly + day: "saturday" + timezone: "Europe/Berlin" + time: "03:00" - package-ecosystem: docker directory: "/neo4j" schedule: @@ -52,14 +53,10 @@ updates: day: "saturday" timezone: "Europe/Berlin" time: "03:00" - # open-pull-requests-limit: 10 - # ignore: - package-ecosystem: docker - directory: "/deployment/legacy-migration/maintenance-worker" + directory: "/deployment/src/docker" schedule: interval: weekly day: "saturday" timezone: "Europe/Berlin" time: "03:00" - # open-pull-requests-limit: 10 - # ignore: From 9cf32201feff43734206b18c89420194bfc2fe2e Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 12:37:24 +0100 Subject: [PATCH 4/7] allow write-all --- .github/workflows/test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e15313549..ea298bc11 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -168,8 +168,8 @@ jobs: name: Unit tests - backend runs-on: ubuntu-latest needs: [build_test_neo4j,build_test_backend] - permissions: - security-events: write + permissions: write-all + # security-events: write steps: ########################################################################## # CHECKOUT CODE ########################################################## @@ -227,8 +227,8 @@ jobs: name: Unit tests - webapp runs-on: ubuntu-latest needs: [build_test_webapp] - permissions: - security-events: write + permissions: write-all + # security-events: write steps: ########################################################################## # CHECKOUT CODE ########################################################## From f3a95120bb9691ea113d05be71f0895f4574a042 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 13:01:49 +0100 Subject: [PATCH 5/7] try limit permissions to statusses --- .github/workflows/test.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ea298bc11..f4f1e141e 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -168,7 +168,8 @@ jobs: name: Unit tests - backend runs-on: ubuntu-latest needs: [build_test_neo4j,build_test_backend] - permissions: write-all + permissions: + statuses: write # security-events: write steps: ########################################################################## @@ -227,7 +228,8 @@ jobs: name: Unit tests - webapp runs-on: ubuntu-latest needs: [build_test_webapp] - permissions: write-all + permissions: + statuses: write # security-events: write steps: ########################################################################## From 2b30527ef0225c5da3e118db94156ba278033369 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 13:23:04 +0100 Subject: [PATCH 6/7] try checks permission --- .github/workflows/test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f4f1e141e..824b519d7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -169,7 +169,8 @@ jobs: runs-on: ubuntu-latest needs: [build_test_neo4j,build_test_backend] permissions: - statuses: write + #statuses: write + checks: write # security-events: write steps: ########################################################################## @@ -229,7 +230,9 @@ jobs: runs-on: ubuntu-latest needs: [build_test_webapp] permissions: - statuses: write + #statuses: write + #actions: write + checks: write # security-events: write steps: ########################################################################## From 6016a8b85a5c07a0912cef6edfd3e747965f85f7 Mon Sep 17 00:00:00 2001 From: Ulf Gebhardt Date: Fri, 24 Feb 2023 13:45:43 +0100 Subject: [PATCH 7/7] remove comments, checks permissions are working --- .github/workflows/test.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 824b519d7..8560aef0b 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -169,9 +169,7 @@ jobs: runs-on: ubuntu-latest needs: [build_test_neo4j,build_test_backend] permissions: - #statuses: write checks: write - # security-events: write steps: ########################################################################## # CHECKOUT CODE ########################################################## @@ -230,10 +228,7 @@ jobs: runs-on: ubuntu-latest needs: [build_test_webapp] permissions: - #statuses: write - #actions: write checks: write - # security-events: write steps: ########################################################################## # CHECKOUT CODE ##########################################################