From cc314cb8c0f0d58a3333eafddf28bfb03fb01f09 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Fri, 25 Apr 2025 07:19:08 +0100 Subject: [PATCH 1/6] add housekeeping pipeline --- .github/workflows/housekeeping.yaml | 72 +++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/housekeeping.yaml diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml new file mode 100644 index 00000000..015bb720 --- /dev/null +++ b/.github/workflows/housekeeping.yaml @@ -0,0 +1,72 @@ +name: Housekeeping +# checks are on all directories + +on: + # Run daily at 7:00 + schedule: + - cron: '0 7 * * *' + workflow_dispatch: + +# for security reasons the github actions are pinned to specific release versions +jobs: + chores: + name: Tidy workflows + runs-on: ubuntu-24.04 + permissions: + actions: write + + steps: + - name: Delete stale workflow runs + uses: Mattraks/delete-workflow-runs@v2.0.6 + with: + token: ${{ github.token }} + repository: ${{ github.repository }} + retain_days: 28 + keep_minimum_runs: 10 + + - name: Delete unused workflows + uses: otto-de/purge-deprecated-workflow-runs@v3.0.1 + with: + token: ${{ github.token }} + + link_checker: + name: Link checker + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Link Checker + uses: lycheeverse/lychee-action@v2.4.0 + with: + # skip the jekyll files under '_includes' directory, check all other directories + args: >- + --no-progress + --max-retries 5 + --exclude-path './_includes/*.html' + '**/*.md' + '*.md' + fail: true + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + stale: + name: Tidy pull requests + runs-on: ubuntu-24.04 + permissions: + pull-requests: write + issues: write + + steps: + - name: Tidy stale PRs and issues + uses: actions/stale@v9 + with: + days-before-issue-stale: 182 + days-before-issue-close: -1 + stale-issue-message: 'This issue is stale because it has been open for 6 months with no activity.' + stale-issue-label: stale + remove-issue-stale-when-updated: true + days-before-pr-stale: 42 + days-before-pr-close: 7 + stale-pr-message: 'This PR is stale because it has been open 42 days with no activity. Remove stale label, or add a comment, otherwise it will be closed in 7 days.' + close-pr-message: 'This PR was closed because it has been stalled for 7 weeks with no activity.' From c2b8641a9fa05039d3ecf29cdf21183a75b6d714 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Fri, 25 Apr 2025 09:24:22 +0100 Subject: [PATCH 2/6] add pull-request and release pipelines --- .github/workflows/pr.yaml | 82 ++++++++++++++++++++++++ .github/workflows/release.yaml | 114 +++++++++++++++++++++++++++++++++ .release-note-template.md | 8 +++ 3 files changed, 204 insertions(+) create mode 100644 .github/workflows/pr.yaml create mode 100644 .github/workflows/release.yaml create mode 100644 .release-note-template.md diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml new file mode 100644 index 00000000..aada0784 --- /dev/null +++ b/.github/workflows/pr.yaml @@ -0,0 +1,82 @@ +name: Pull request pipeline + +on: + pull_request: + branches: + - main + workflow_dispatch: + +# for security reasons the github actions are pinned to specific release versions +jobs: + link_checker: + name: Link checker + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Link Checker + uses: lycheeverse/lychee-action@v2.3.0 + with: + args: >- + --no-progress + --max-retries 5 + './docs/**/*.md' + fail: true + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + md_linter: + name: Lint markdown + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Lint markdown + uses: DavidAnson/markdownlint-cli2-action@v19.1.0 + with: + config: '.markdownlint.yaml' + globs: 'docs/**/*.md' + + spell_checker: + name: Check spelling + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Spell check EN language + uses: rojopolis/spellcheck-github-actions@0.47.0 + with: + config_path: .spellcheck-en.yaml + + export_pdf: + name: Export PDF + runs-on: ubuntu-24.04 + needs: [link_checker, md_linter, spell_checker] + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Install python + uses: actions/setup-python@v5.5.0 + with: + python-version: 3.x + + - name: Install python packages + run: | + python -m pip install --upgrade pip setuptools wheel + pip install mkdocs + pip install mkdocs-material + pip install mkdocs-open-in-new-tab + pip install mkdocs-with-pdf + + - name: Build + run: mkdocs build + + - name: Upload PDF + uses: actions/upload-artifact@v4.6.0 + with: + name: pdf-export + path: site/OWASP_Developer_Guide.pdf diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 00000000..82cb951d --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,114 @@ +name: Release docs +# checks are only on the draft directory because the release directory will be overwritten + +on: + push: + # tagged x.x.x releases as well as release candidates + tags: + - ?.?.?* + workflow_dispatch: + +# for security reasons the github actions are pinned to specific release versions +jobs: + link_checker: + name: Link checker + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Link Checker + uses: lycheeverse/lychee-action@v2.3.0 + with: + args: >- + --no-progress + --max-retries 5 + './docs/**/*.md' + fail: true + env: + GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + + md_linter: + name: Lint markdown + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Lint markdown + uses: DavidAnson/markdownlint-cli2-action@v19.1.0 + with: + config: '.markdownlint.yaml' + globs: 'docs/**/*.md' + + spell_checker: + name: Check spelling + runs-on: ubuntu-24.04 + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Spell check EN language + uses: rojopolis/spellcheck-github-actions@0.47.0 + with: + config_path: .spellcheck-en.yaml + + export_pdf: + name: Export PDF + runs-on: ubuntu-24.04 + needs: [link_checker, md_linter, spell_checker] + steps: + - name: Checkout markdown + uses: actions/checkout@v4.2.0 + + - name: Install python + uses: actions/setup-python@v5.5.0 + with: + python-version: 3.x + + - name: Install python packages + run: | + python -m pip install --upgrade pip setuptools wheel + pip install mkdocs + pip install mkdocs-material + pip install mkdocs-open-in-new-tab + pip install mkdocs-with-pdf + + - name: Build + run: mkdocs build + + - name: Upload PDF + uses: actions/upload-artifact@v4.6.0 + with: + name: 'pdf-export' + path: 'site/OWASP_Developer_Guide.pdf' + + draft_release: + name: Create draft release + runs-on: ubuntu-24.04 + needs: [link_checker, md_linter, spell_checker] + steps: + - name: Check out + uses: actions/checkout@v4.2.0 + + - name: Fetch prepared SBOM artifacts + uses: actions/download-artifact@v4.2.1 + with: + name: 'pdf-export' + path: 'site/OWASP_Developer_Guide.pdf' + + - name: Prepare release notes + run: | + releaseVersion=${{ github.ref_name }} + sed -e s/x.x.x/${releaseVersion:1}/g .release-note-template.md > ./release-notes.txt + + - name: Create release notes + uses: softprops/action-gh-release@v2.2.0 + with: + draft: true + name: "${releaseVersion:1}" + append_body: true + body_path: ./release-notes.txt + generate_release_notes: true + files: | + site/OWASP_Developer_Guide.pdf diff --git a/.release-note-template.md b/.release-note-template.md new file mode 100644 index 00000000..06044fe6 --- /dev/null +++ b/.release-note-template.md @@ -0,0 +1,8 @@ +### What's Changed + +### PDF version + +The [PDF][pdf] version of the [web document][devguide] can be downloaded for version x.x.x . + +[devguide]: devguide.owasp.org +[pdf]: https://github.com/OWASP/threat-dragon/releases/download/vx.x.x/OWASP_Developer_Guide.pdf From 4ad9e98e282cb8ea7d18b3369c57c9612271732f Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Fri, 25 Apr 2025 09:49:57 +0100 Subject: [PATCH 3/6] add ognore list for link checker --- .lycheeignore | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .lycheeignore diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 00000000..3ab51c5c --- /dev/null +++ b/.lycheeignore @@ -0,0 +1,27 @@ +# ignore these false positives from the link checker housekeeper + +# some sites that are examples only, no intention of being real +myfriend.site.com/ + +# Lockheed Martin has trouble with SSL certificates, temporarily ignore +https://www.lockheedmartin.com + +# github gets upset if too many requests are made to create new issues +https://github.com/OWASP/www-project-developer-guide/issues/new +https://github.com/OWASP/www-project-developer-guide/pulls + +# ignore LINDDUN site because it occasionally times out +https://www.linddun.org/ + +# automated access to esapi is forbidden +https://mvnrepository.com/artifact/org.owasp.esapi/esapi + +# do not harass dockerhub +https://hub.docker.com/r/owasp/threat-dragon/tags +https://hub.docker.com/r/webgoat/webgoat + +# Google drive tends to need permissions that the link checker does not have +https://drive.google.com/ + +# SAMM training site blocks automated access +https://owaspsamm.thinkific.com/courses/samm From 9e366f2e368fe58542d4e060d5052a2bdd5e0fc9 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Fri, 25 Apr 2025 09:53:52 +0100 Subject: [PATCH 4/6] extend link checker ignore list --- .lycheeignore | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.lycheeignore b/.lycheeignore index 3ab51c5c..f329c94f 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -7,8 +7,8 @@ myfriend.site.com/ https://www.lockheedmartin.com # github gets upset if too many requests are made to create new issues -https://github.com/OWASP/www-project-developer-guide/issues/new -https://github.com/OWASP/www-project-developer-guide/pulls +https://github.com/OWASP/DevGuide/issues/new +https://github.com/OWASP/DevGuide/pulls # ignore LINDDUN site because it occasionally times out https://www.linddun.org/ @@ -17,7 +17,10 @@ https://www.linddun.org/ https://mvnrepository.com/artifact/org.owasp.esapi/esapi # do not harass dockerhub +https://hub.docker.com/r/bkimminich/juice-shop +https://hub.docker.com/r/pygoat/pygoat https://hub.docker.com/r/owasp/threat-dragon/tags +https://hub.docker.com/r/securityrat/securityrat https://hub.docker.com/r/webgoat/webgoat # Google drive tends to need permissions that the link checker does not have From 2fdfb3260eceea70afcfb0d0f81ed08146c5a2cc Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Fri, 25 Apr 2025 10:00:58 +0100 Subject: [PATCH 5/6] slim down release pipeline --- .github/workflows/housekeeping.yaml | 2 +- .github/workflows/pr.yaml | 2 +- .github/workflows/release.yaml | 46 +---------------------------- 3 files changed, 3 insertions(+), 47 deletions(-) diff --git a/.github/workflows/housekeeping.yaml b/.github/workflows/housekeeping.yaml index 015bb720..09a27947 100644 --- a/.github/workflows/housekeeping.yaml +++ b/.github/workflows/housekeeping.yaml @@ -42,7 +42,7 @@ jobs: # skip the jekyll files under '_includes' directory, check all other directories args: >- --no-progress - --max-retries 5 + --max-retries 2 --exclude-path './_includes/*.html' '**/*.md' '*.md' diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index aada0784..7039efd7 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -20,7 +20,7 @@ jobs: with: args: >- --no-progress - --max-retries 5 + --max-retries 2 './docs/**/*.md' fail: true env: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 82cb951d..b7ccc5fd 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,53 +10,9 @@ on: # for security reasons the github actions are pinned to specific release versions jobs: - link_checker: - name: Link checker - runs-on: ubuntu-24.04 - steps: - - name: Checkout markdown - uses: actions/checkout@v4.2.0 - - - name: Link Checker - uses: lycheeverse/lychee-action@v2.3.0 - with: - args: >- - --no-progress - --max-retries 5 - './docs/**/*.md' - fail: true - env: - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} - - md_linter: - name: Lint markdown - runs-on: ubuntu-24.04 - steps: - - name: Checkout markdown - uses: actions/checkout@v4.2.0 - - - name: Lint markdown - uses: DavidAnson/markdownlint-cli2-action@v19.1.0 - with: - config: '.markdownlint.yaml' - globs: 'docs/**/*.md' - - spell_checker: - name: Check spelling - runs-on: ubuntu-24.04 - steps: - - name: Checkout markdown - uses: actions/checkout@v4.2.0 - - - name: Spell check EN language - uses: rojopolis/spellcheck-github-actions@0.47.0 - with: - config_path: .spellcheck-en.yaml - export_pdf: name: Export PDF runs-on: ubuntu-24.04 - needs: [link_checker, md_linter, spell_checker] steps: - name: Checkout markdown uses: actions/checkout@v4.2.0 @@ -86,7 +42,7 @@ jobs: draft_release: name: Create draft release runs-on: ubuntu-24.04 - needs: [link_checker, md_linter, spell_checker] + needs: [export_pdf] steps: - name: Check out uses: actions/checkout@v4.2.0 From 9170c0e38732eee5328b382693b3ddf6f2bd2914 Mon Sep 17 00:00:00 2001 From: Jon Gadsden Date: Sat, 26 Apr 2025 07:15:01 +0100 Subject: [PATCH 6/6] further slim down release pipeline --- .lycheeignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.lycheeignore b/.lycheeignore index f329c94f..5aadd183 100644 --- a/.lycheeignore +++ b/.lycheeignore @@ -10,6 +10,9 @@ https://www.lockheedmartin.com https://github.com/OWASP/DevGuide/issues/new https://github.com/OWASP/DevGuide/pulls +# at times github gets upset full stop +https://github.com/OWASP/DevGuide + # ignore LINDDUN site because it occasionally times out https://www.linddun.org/