Merge pull request #55 from timoa/develop

Merge to Master
timoa · Mar 29, 2022 · 6e1c166 · 6e1c166
2 parents eb03543 + 103b9c0
commit 6e1c166
Show file tree

Hide file tree

Showing 7 changed files with 1,405 additions and 1,809 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2
+      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -29,15 +29,15 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c # tag=v1.1.5
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@883476649888a9e8e219d5b2e6b789dc024f690c # tag=v1.1.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -51,4 +51,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c # tag=v1.1.5
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -10,16 +10,17 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x]
+        node: ['12', '14']
 
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # tag=v1
+      - name: Setup Node.js ${{ matrix.node }}
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # tag=v3
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: ${{ matrix.node }}
+          check-latest: true
 
       - name: Install dependencies
         run: npm install
@@ -33,21 +34,22 @@ jobs:
         run: npm run test:coverage
 
       - name: Save Code Coverage
-        uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # tag=v2
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v3.0.0
         with:
           name: code-coverage
           path: coverage
 
-  sonarcloud:
+  # -- SONARCLOUD -------------------------------------------------------------
+  code-quality:
     runs-on: ubuntu-latest
     needs: tests
 
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
       - name: Download Code Coverage
-        uses: actions/download-artifact@f023be2c48cc18debc3bacd34cb396e0295e2869 # tag=v2
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0
         with:
           name: code-coverage
           path: coverage
@@ -61,15 +63,32 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 
-  # -- RELEASE ----------------------------------------------------------------
+  # -- SEMGREP ----------------------------------------------------------------
+  code-security:
+    runs-on: ubuntu-latest
+    needs: tests
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3
+
+      - name: Semgrep SAST Scan
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/secrets
+          auditOn: push
 
+  # -- RELEASE ----------------------------------------------------------------
   release:
     runs-on: ubuntu-latest
-    needs: tests
-    if: contains('
-        refs/heads/master
-        refs/heads/develop
-      ', github.ref)
+    needs:
+      - code-quality
+      - code-security
+    if: github.ref == 'refs/heads/master'
 
     steps:
       - name: Checkout
@@ -88,12 +107,14 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # tag=v3.0.0
 
       - name: Docker Build
-        uses: docker/build-push-action@3e7a4f6646880c6f63758d73ac32392d323eaf8f # tag=v1
+        uses: docker/build-push-action@7f9d37fa544684fb73bfe4835ed7214c255ce02b # tag=v2.9.0
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
           repository: timoa/app-stores-prometheus-exporter
-          tags: latest
+          tags: |
+            ${GITHUB_REF#refs/*/}
+            latest
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## [0.4.9](https://github.com/timoa/app-stores-prometheus-exporter/compare/v0.4.8...v0.4.9) (2022-03-27)
+
+
+### Bug Fixes
+
+* **deps:** update dependency app-store-scraper to v0.17.0 ([a126659](https://github.com/timoa/app-stores-prometheus-exporter/commit/a126659b4e022dfd2d29d182c92f30a51437dc14))
+
 ## [0.4.8](https://github.com/timoa/app-stores-prometheus-exporter/compare/v0.4.7...v0.4.8) (2022-03-27)
 
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+We release patches for security vulnerabilities. Which versions are eligible
+receiving such patches depend on the CVSS v3.0 Rating:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.5.x   | :white_check_mark: |
+| > 0.4.8 | :white_check_mark: |
+| < 0.4.8 | :x:                |
+
+## Reporting a Vulnerability
+
+Please report (suspected) security vulnerabilities to **[issue board](https://github.com/timoa/app-stores-prometheus-exporter/issues)**
+with the label **vulnerability**. If the issue is confirmed, we will release a patch as soon as possible depending on complexity,
+but historically within a few days.
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -2,7 +2,7 @@ version: '3.3'
 
 services:
   api:
-    image: timoa/app-stores-prometheus-exporter:latest@sha256:724f9351775e37c431dcf9a8f5350d488ea3e9be31ba8c2e5a26ef3d5f888d9a
+    image: timoa/app-stores-prometheus-exporter:latest@sha256:725ead64d8492131a4998f36cd633eb5bbb363df623d2dd5ae5b2b763545e12f
     environment:
       - NODE_ENV=production
     volumes: