This is an automated email from the ASF dual-hosted git repository. Aman-Mittal pushed a commit to branch setup-ci-security in repository https://gitbox.apache.org/repos/asf/fineract-loan-origination.git
commit 665385507c02c1b1b98460e834413ee3b0ec632d Author: Aman Mittal <[email protected]> AuthorDate: Sun May 24 18:37:29 2026 +0530 Enhance security workflows and optimize CI processes --- .asf.yaml | 17 +++++++ .github/dependabot.yml | 66 ++++++++++++++++++++++++ .github/workflows/apache-rat.yml | 66 ++++++++++++++++++++++++ .github/workflows/asf-allowlist-check.yml | 49 ++++++++++++++++++ .github/workflows/codeql.yml | 83 +++++++++++++++++++++++++++++++ .github/workflows/zizmor.yml | 61 +++++++++++++++++++++++ Readme.md | 19 +++++++ 7 files changed, 361 insertions(+) diff --git a/.asf.yaml b/.asf.yaml index ecf8509..3b0b36f 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -1,3 +1,20 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + notifications: commits: [email protected] pullrequests: [email protected] diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..c28f2cc --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,66 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 4 + + # Maintain dependencies for npm (Frontend/Node.js) + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 4 + + # Maintain dependencies for Gradle (Backend) + - package-ecosystem: "gradle" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 4 + + # Maintain dependencies for Maven (Backend alternative) + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 4 + + # Maintain dependencies for Docker + - package-ecosystem: "docker" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 4 + + # Maintain dependencies for Python (pip) + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + cooldown: + default-days: 4 diff --git a/.github/workflows/apache-rat.yml b/.github/workflows/apache-rat.yml new file mode 100644 index 0000000..5820ffb --- /dev/null +++ b/.github/workflows/apache-rat.yml @@ -0,0 +1,66 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: Apache RAT Scan + +on: + push: + branches: [ "**" ] + paths-ignore: + - "**/*.md" + - ".rat-excludes" + - "LICENSE" + pull_request: + branches: [ "main" ] + paths-ignore: + - "**/*.md" + - ".rat-excludes" + - "LICENSE" + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + rat-scan: + name: Apache RAT Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: Cache Apache RAT + id: cache-rat + uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4.2.2 + with: + path: apache-rat-0.17.jar + key: rat-0.17 + + - name: Download Apache RAT + if: steps.cache-rat.outputs.cache-hit != 'true' + run: | + curl -sL https://repo1.maven.org/maven2/org/apache/rat/apache-rat/0.17/apache-rat-0.17.jar -o apache-rat-0.17.jar + + - name: Run Apache RAT Scan + run: | + # Use pre-installed Java to save time and API calls + java -jar apache-rat-0.17.jar --input-exclude-file .rat-excludes -- . diff --git a/.github/workflows/asf-allowlist-check.yml b/.github/workflows/asf-allowlist-check.yml new file mode 100644 index 0000000..2eea9ad --- /dev/null +++ b/.github/workflows/asf-allowlist-check.yml @@ -0,0 +1,49 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: "ASF Allowlist Check" + +on: + workflow_dispatch: + pull_request: + branches: ["main"] + paths: + - ".github/workflows/**" + push: + branches: ["**"] + paths: + - ".github/workflows/**" + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + asf-allowlist-check: + name: ASF Allowlist Check + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: ASF Allowlist Check + uses: apache/infrastructure-actions/allowlist-check@27e3be0410e5e9c79a8e9b145f76475cac4bb0a0 # main as of 2026-05-22 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..bd3ee4a --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,83 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +name: 'CodeQL Advanced' + +on: + push: + branches: ['**'] + paths: + - '.github/workflows/**' + pull_request: + branches: ['main'] + paths: + - '.github/workflows/**' + schedule: + - cron: '40 11 * * 4' + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +env: + CODEQL_TELEMETRY_STATUS: false + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + security-events: write + packages: read + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Initialize CodeQL + uses: github/codeql-action/init@a65a038433a26f4363cf9f029e3b9ceac831ad5d # v3.28.10 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@a65a038433a26f4363cf9f029e3b9ceac831ad5d # v3.28.10 + with: + category: '/language:${{matrix.language}}' + # Minimize API usage: only upload SARIF for PRs or the main branch. + # Analysis still runs on other branches to catch syntax errors. + upload: ${{ github.event_name == 'pull_request' || github.ref == 'refs/heads/main' }} + diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..553ed8e --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,61 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# + +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["**"] + paths: + - ".github/workflows/**" + pull_request: + branches: ["main"] + paths: + - ".github/workflows/**" + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + security-events: write + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + min-severity: medium + min-confidence: medium + # Disabling online audits resolves 403 Forbidden errors and saves API rate limits. + # Sensitive audits like 'impostor-commit' are covered by the ASF Allowlist Check. + online-audits: false diff --git a/Readme.md b/Readme.md index e11c8d8..bc29207 100644 --- a/Readme.md +++ b/Readme.md @@ -1,3 +1,22 @@ +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + Fineract Loan Origination Initialized in May 2026 as part of a GSOC project.
