From d48630cf2aefe7b9350659341465293147ab5b09 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Mon, 15 Dec 2025 23:18:05 +0530 Subject: [PATCH 01/24] added config to run bundle install to generate lock file at runtime Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index c63d99f3..cb85fc32 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -7,9 +7,9 @@ name: CI Pull Request on Main Branch on: pull_request: - branches: [ main, release/** ] + branches: [ nikhil/generate-lock-runtime, release/** ] push: - branches: [ main, release/** ] + branches: [ nikhil/generate-lock-runtime, release/** ] workflow_dispatch: @@ -29,7 +29,7 @@ jobs: echo "CI main pull request stub version $STUB_VERSION" call-ci-main-pr-check-pipeline: - uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/create-lock-file-runtime secrets: inherit permissions: id-token: write @@ -98,7 +98,9 @@ jobs: blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead - + + run-bundle-install: true + generate-msft-sbom: false license_scout: false # Run license scout for license compliance (uses .license_scout.yml) From 5c9b92237cf0e00faf9d71a57e40087613c106ab Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Mon, 15 Dec 2025 23:31:32 +0530 Subject: [PATCH 02/24] empty commit to run scans Signed-off-by: nikhil2611 From 132970869ebaf87e48416526b6a9c4afcc10b68a Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Mon, 15 Dec 2025 23:38:10 +0530 Subject: [PATCH 03/24] updated version Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index cb85fc32..24778313 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -40,7 +40,7 @@ jobs: # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '6.1.13' # ${{ github.event.repository.version }} + version: '6.1.14' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting @@ -72,7 +72,7 @@ jobs: # perform SonarQube scan, with or wihout unit test coverage data # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) - perform-sonarqube-scan: false + perform-sonarqube-scan: true # perform-sonar-build: true # build-profile: 'default' # report-unit-test-coverage: true From 55cd3660ed206b562fbafcbac690855d2d0dfc34 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 00:01:41 +0530 Subject: [PATCH 04/24] setting build to true Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 24778313..9bc95dde 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -65,7 +65,7 @@ jobs: polaris-executable-detect-path: 'path/to/detect' # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language - build: false + build: true # ga-build-profile: $chef-ga-build-profile # language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA unit-tests: false From 50c4f41e3519e6f6c683031e7b16304ede6f1fbb Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 00:09:27 +0530 Subject: [PATCH 05/24] empty commit to run scans Signed-off-by: nikhil2611 From bc6f0d49a16f0f956d24e62e68e3ab27f70423d6 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 00:13:27 +0530 Subject: [PATCH 06/24] empty commit to run scans Signed-off-by: nikhil2611 From a83e0b4bd0b4790399c2565c3d2914fed8cccabc Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 00:24:21 +0530 Subject: [PATCH 07/24] empty commit to run scans Signed-off-by: nikhil2611 From d557c6e9eaafee4bba16ff7affe069bc2267616a Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 13:56:39 +0530 Subject: [PATCH 08/24] empty commit to run scans Signed-off-by: nikhil2611 From 1259311b4ba63bdcd0ba37d9a3a4c82901452865 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 14:35:37 +0530 Subject: [PATCH 09/24] empty commit to run scans Signed-off-by: nikhil2611 From 1629afa3807ee743d5277d467e391cff82ac0c8f Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 14:41:39 +0530 Subject: [PATCH 10/24] empty commit to run scans Signed-off-by: nikhil2611 From 60301a8b3cc19281fafb58da710dd9f267a7d473 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 16:05:47 +0530 Subject: [PATCH 11/24] testing build by setting flag false Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 9bc95dde..3c37476e 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -99,7 +99,7 @@ jobs: blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead - run-bundle-install: true + run-bundle-install: false generate-msft-sbom: false license_scout: false # Run license scout for license compliance (uses .license_scout.yml) From 6f1bbe6211b52ee1f6378512c0d5486b0be890a1 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 16 Dec 2025 16:13:02 +0530 Subject: [PATCH 12/24] testing build by setting flag true Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 3c37476e..9bc95dde 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -99,7 +99,7 @@ jobs: blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead - run-bundle-install: false + run-bundle-install: true generate-msft-sbom: false license_scout: false # Run license scout for license compliance (uses .license_scout.yml) From 85deae1354eac5fd3bf7e6be0f762b247d02ba64 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Mon, 19 Jan 2026 17:46:12 +0530 Subject: [PATCH 13/24] updated chef-cli version to v6.1.16 Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 9bc95dde..5624305c 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -40,7 +40,7 @@ jobs: # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '6.1.14' # ${{ github.event.repository.version }} + version: '6.1.16' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting From 4637cf6d845b8cbb3f175d7c187f39bcabfe851c Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 20 Jan 2026 17:06:01 +0530 Subject: [PATCH 14/24] setting build to false to check scan Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 5624305c..d1261f8c 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -65,7 +65,7 @@ jobs: polaris-executable-detect-path: 'path/to/detect' # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language - build: true + build: false # ga-build-profile: $chef-ga-build-profile # language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA unit-tests: false From cc8e707c8acdfd08893296bc04a6941fc35f7adf Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Tue, 20 Jan 2026 17:14:20 +0530 Subject: [PATCH 15/24] revereted build back to false bec sbom scan is not happening Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index d1261f8c..5624305c 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -65,7 +65,7 @@ jobs: polaris-executable-detect-path: 'path/to/detect' # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language - build: false + build: true # ga-build-profile: $chef-ga-build-profile # language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA unit-tests: false From 2eb13348786e6edc240a12264394c8f8dfbc5be5 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Thu, 22 Jan 2026 11:58:46 +0530 Subject: [PATCH 16/24] updating the group name to chef-chef-cli as chef-cli group fails to generate NOTICE in sbominator Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 5624305c..3b7cab97 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -96,7 +96,7 @@ jobs: export-github-sbom: true # SPDX JSON artifact on job instance perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' - blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name + blackduck-project-name: chef-chef-cli # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead run-bundle-install: true From 8b1cde3dea67f384e13ae1485905ce78ffbcf841 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Thu, 22 Jan 2026 12:33:32 +0530 Subject: [PATCH 17/24] updated version and also group names Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 3b7cab97..ca7a068f 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -40,7 +40,7 @@ jobs: # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '6.1.16' # ${{ github.event.repository.version }} + version: '6.1.17' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting @@ -60,9 +60,9 @@ jobs: # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN perform-blackduck-polaris: true polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product - polaris-project-name: ${{ github.event.repository.name }} - polaris-blackduck-executable: 'path/to/blackduck/binary' - polaris-executable-detect-path: 'path/to/detect' + polaris-project-name: 'chef-chef-cli' + # polaris-blackduck-executable: 'path/to/blackduck/binary' + # polaris-executable-detect-path: 'path/to/detect' # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language build: true @@ -79,8 +79,7 @@ jobs: # report to central developer dashboard report-to-atlassian-dashboard: false - quality-product-name: 'Chef-Agents' # product name for quality reporting, like Chef360, Courier, Inspec - # quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec + quality-product-name: 'chef-chef-cli' # product name for quality reporting, like Chef360, Courier, Inspec # quality-sonar-app-name: 'YourSonarAppName' # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security # quality-service-name: 'YourServiceOrRepoName' From c6e3810931fadd9bfb9d310cad2187c916294d09 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Thu, 22 Jan 2026 12:48:39 +0530 Subject: [PATCH 18/24] updated back to chef-cli Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index ca7a068f..58a3a985 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -60,7 +60,7 @@ jobs: # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN perform-blackduck-polaris: true polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product - polaris-project-name: 'chef-chef-cli' + polaris-project-name: 'chef-cli' # polaris-blackduck-executable: 'path/to/blackduck/binary' # polaris-executable-detect-path: 'path/to/detect' @@ -79,7 +79,7 @@ jobs: # report to central developer dashboard report-to-atlassian-dashboard: false - quality-product-name: 'chef-chef-cli' # product name for quality reporting, like Chef360, Courier, Inspec + quality-product-name: 'chef-cli' # product name for quality reporting, like Chef360, Courier, Inspec # quality-sonar-app-name: 'YourSonarAppName' # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security # quality-service-name: 'YourServiceOrRepoName' From f67b20ab38c534fd73dfc22d579d6dec329cf514 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Thu, 22 Jan 2026 15:12:40 +0530 Subject: [PATCH 19/24] updated back to chef-cli Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 58a3a985..fbedfcf2 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -95,7 +95,7 @@ jobs: export-github-sbom: true # SPDX JSON artifact on job instance perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' - blackduck-project-name: chef-chef-cli # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error + blackduck-project-name: chef-cli # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead run-bundle-install: true From 82a5a95abfa469a21b2fa0bd0501fde6243f7d34 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Fri, 23 Jan 2026 14:57:44 +0530 Subject: [PATCH 20/24] update product name Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index fbedfcf2..da7ad0f9 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -60,7 +60,7 @@ jobs: # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN perform-blackduck-polaris: true polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product - polaris-project-name: 'chef-cli' + polaris-project-name: ${{ github.event.repository.name }} # polaris-blackduck-executable: 'path/to/blackduck/binary' # polaris-executable-detect-path: 'path/to/detect' @@ -79,7 +79,7 @@ jobs: # report to central developer dashboard report-to-atlassian-dashboard: false - quality-product-name: 'chef-cli' # product name for quality reporting, like Chef360, Courier, Inspec + quality-product-name: ${{ github.event.repository.name }} # product name for quality reporting, like Chef360, Courier, Inspec # quality-sonar-app-name: 'YourSonarAppName' # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security # quality-service-name: 'YourServiceOrRepoName' @@ -95,7 +95,7 @@ jobs: export-github-sbom: true # SPDX JSON artifact on job instance perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' - blackduck-project-name: chef-cli # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error + blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead run-bundle-install: true From 15540e2898433655a8d34ce037b509e0ab48f599 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Wed, 28 Jan 2026 18:01:41 +0530 Subject: [PATCH 21/24] update branch back to main Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index da7ad0f9..8b25d432 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -7,9 +7,9 @@ name: CI Pull Request on Main Branch on: pull_request: - branches: [ nikhil/generate-lock-runtime, release/** ] + branches: [ main, release/** ] push: - branches: [ nikhil/generate-lock-runtime, release/** ] + branches: [ main, release/** ] workflow_dispatch: From 7701e392cc106d06b30d52220d38f3996ace3138 Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Wed, 28 Jan 2026 18:04:53 +0530 Subject: [PATCH 22/24] updated chef-cli version to 6.1.8 Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 8b25d432..4f2b484e 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -40,7 +40,7 @@ jobs: # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '6.1.17' # ${{ github.event.repository.version }} + version: '6.1.18' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting From f7b3c0ba204c388a5d2e8efb28eb7799d4d8645b Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Thu, 29 Jan 2026 23:31:17 +0530 Subject: [PATCH 23/24] updated chef-cli version to 6.1.20 in stub Signed-off-by: nikhil2611 --- .github/workflows/ci-main-pull-request-stub.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/ci-main-pull-request-stub.yml index 4f2b484e..7690e660 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/ci-main-pull-request-stub.yml @@ -40,7 +40,7 @@ jobs: # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '6.1.18' # ${{ github.event.repository.version }} + version: '6.1.20' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting From 79d1894c5eed068aef1e76a563b173493dbc148e Mon Sep 17 00:00:00 2001 From: nikhil2611 Date: Wed, 4 Feb 2026 12:14:28 +0530 Subject: [PATCH 24/24] moving stub version 1.0.5 to archived and adding new stub 1.0.7 with additional config to to generate lock file at runtime Signed-off-by: nikhil2611 --- .../ci-main-pull-request-stub.yml | 21 ++- .../ci-main-pull-request-stub-1.0.7.yml | 161 ++++++++++++++++++ 2 files changed, 171 insertions(+), 11 deletions(-) rename .github/workflows/{ => archived}/ci-main-pull-request-stub.yml (88%) create mode 100644 .github/workflows/ci-main-pull-request-stub-1.0.7.yml diff --git a/.github/workflows/ci-main-pull-request-stub.yml b/.github/workflows/archived/ci-main-pull-request-stub.yml similarity index 88% rename from .github/workflows/ci-main-pull-request-stub.yml rename to .github/workflows/archived/ci-main-pull-request-stub.yml index 7690e660..c63d99f3 100644 --- a/.github/workflows/ci-main-pull-request-stub.yml +++ b/.github/workflows/archived/ci-main-pull-request-stub.yml @@ -29,7 +29,7 @@ jobs: echo "CI main pull request stub version $STUB_VERSION" call-ci-main-pr-check-pipeline: - uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@nikhil/create-lock-file-runtime + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main secrets: inherit permissions: id-token: write @@ -40,7 +40,7 @@ jobs: # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" - version: '6.1.20' # ${{ github.event.repository.version }} + version: '6.1.13' # ${{ github.event.repository.version }} detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" detect-version-source-parameter: '' # use for file name language: 'ruby' # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting @@ -61,25 +61,26 @@ jobs: perform-blackduck-polaris: true polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product polaris-project-name: ${{ github.event.repository.name }} - # polaris-blackduck-executable: 'path/to/blackduck/binary' - # polaris-executable-detect-path: 'path/to/detect' + polaris-blackduck-executable: 'path/to/blackduck/binary' + polaris-executable-detect-path: 'path/to/detect' # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language - build: true + build: false # ga-build-profile: $chef-ga-build-profile # language: $chef-ga-build-language # this will be removed from stub as autodetected in central GA unit-tests: false # perform SonarQube scan, with or wihout unit test coverage data # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) - perform-sonarqube-scan: true + perform-sonarqube-scan: false # perform-sonar-build: true # build-profile: 'default' # report-unit-test-coverage: true # report to central developer dashboard report-to-atlassian-dashboard: false - quality-product-name: ${{ github.event.repository.name }} # product name for quality reporting, like Chef360, Courier, Inspec + quality-product-name: 'Chef-Agents' # product name for quality reporting, like Chef360, Courier, Inspec + # quality-product-name: ${{ github.event.repository.name }} # like 'Chef-360' - the product name for quality reporting, like Chef360, Courier, Inspec # quality-sonar-app-name: 'YourSonarAppName' # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security # quality-service-name: 'YourServiceOrRepoName' @@ -95,11 +96,9 @@ jobs: export-github-sbom: true # SPDX JSON artifact on job instance perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' - blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name - using chef-chef-cli as using 'chef-cli' a name in sbominator fails to generate the notice file with invalid group error + blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name generate-blackduck-sbom: true # obsolete, use perform-blackduck-sca-scan instead - - run-bundle-install: true - + generate-msft-sbom: false license_scout: false # Run license scout for license compliance (uses .license_scout.yml) diff --git a/.github/workflows/ci-main-pull-request-stub-1.0.7.yml b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml new file mode 100644 index 00000000..97ceb100 --- /dev/null +++ b/.github/workflows/ci-main-pull-request-stub-1.0.7.yml @@ -0,0 +1,161 @@ +# stub to call common GitHub Action (GA) as part of Continuous Integration (CI) Pull Request process checks for main branch +# inputs are described in the chef/common-github-actions/ with same name as this stub +# +# secrets are inherited from the calling workflow, typically SONAR_TOKEN, SONAR_HOST_URL, GH_TOKEN, AKEYLESS_JWT_ID, POLARIS_SERVER_URL and POLARIS_ACCESS_TOKEN + +name: CI Pull Request on Main Branch + +on: + pull_request: + branches: [ main, release/** ] + push: + branches: [ main, release/** ] + + workflow_dispatch: + +permissions: + contents: read + +env: + STUB_VERSION: "1.0.7" + +jobs: + echo_version: + name: 'Echo stub version' + runs-on: ubuntu-latest + steps: + - name: echo version of stub and inputs + run: | + echo "CI main pull request stub version $STUB_VERSION" + + detect-custom-metadata: + name: 'Detect custom properties' + runs-on: ubuntu-latest + outputs: + primaryApp: ${{ steps.set-custom-metadata.outputs.primaryApplication }} + appBuildLanguage: ${{ steps.set-custom-metadata.outputs.applicationBuildLanguage }} + appBuildProfile: ${{ steps.set-custom-metadata.outputs.applicationBuildProfile }} + steps: + - name: 'Detect app, language, and build profile environment variables from repository custom properties' + id: set-custom-metadata + # GH API returns something like [{"property_name":"GABuildLanguage","value":"go"},{"property_name":"GABuildProfile","value":"cli"},{"property_name":"primaryApplication","value":"chef-360"}]' + run: | + response=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/properties/values) + + primaryApplication=$(echo "$response" | jq -r '.[] | select(.property_name=="primaryApplication") | .value') + GABuildLanguage=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildLanguage") | .value') + GABuildProfile=$(echo "$response" | jq -r '.[] | select(.property_name=="GABuildProfile") | .value') + + echo "PRIMARY APP... $primaryApplication" + echo "BUILD LANG... $GABuildLanguage" + echo "BUILD PROFILE... $GABuildProfile" + + echo "PRIMARY_APPLICATION=$primaryApplication" >> $GITHUB_ENV + echo "GA_BUILD_LANGUAGE=$GABuildLanguage" >> $GITHUB_ENV + echo "GA_BUILD_PROFILE=$GABuildProfile" >> $GITHUB_ENV + + # If workflow_dispatch, use inputs (left), if other trigger, use default env (right) + # echo "::set-output name=build-and-verify::${{ github.event.inputs.build-and-verify || 'true' }}" + echo "::set-output name=primaryApplication::$primaryApplication" + echo "::set-output name=applicationBuildLanguage::$GABuildLanguage" + echo "::set-output name=applicationBuildProfile::$GABuildProfile" + continue-on-error: true + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + call-ci-main-pr-check-pipeline: + uses: chef/common-github-actions/.github/workflows/ci-main-pull-request.yml@main + needs: detect-custom-metadata + secrets: inherit + permissions: + id-token: write + contents: read + + with: + application: ${{ needs.detect-custom-metadata.outputs.primaryApp }} + visibility: ${{ github.event.repository.visibility }} # private, public, or internal + # go-private-modules: GOPRIVATE for Go private modules, default is 'github.com/progress-platform-services/* + + # if version specified, it takes precedence; can be a semver like 1.0.2-xyz or a tag like "latest" + version: '6.1.21' # ${{ github.event.repository.version }} + detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release" + detect-version-source-parameter: '' # use for file name + language: ${{ needs.detect-custom-metadata.outputs.appBuildLanguage }} # Go, Ruby, Rust, JavaScript, TypeScript, Python, Java, C#, PHP, other - used for build and SonarQube language setting + + # complexity-checks, linting, trufflehog and trivy + perform-complexity-checks: true + # scc-output-filename: 'scc-output.txt' + perform-language-linting: false # Perform language-specific linting and pre-compilation checks + perform-trufflehog-scan: true + perform-trivy-scan: true + + # perform application build and unit testing, will use custom repository properties when implemented for chef-primary-application, chef-build-profile, and chef-build-language + build: true + build-profile: ${{ needs.detect-custom-metadata.outputs.appBuildProfile }} + unit-tests: false + unit-test-output-path: "path/to/file.out" + unit-test-command-override: "" + + # BlackDuck SAST (Polaris) require a build or binary present in repo to do SAST testing + # requires these secrets: POLARIS_SERVER_URL, POLARIS_ACCESS_TOKEN + perform-blackduck-polaris: false + polaris-application-name: "Chef-Agents" # one of these: Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Other, Chef-Non-Product + polaris-project-name: ${{ github.event.repository.name }} # arch-sample-cli + polaris-working-directory: '.' # Working directory for the scan, defaults to . but usually lang-dependent like ./src + polaris-coverity-build-command: 'go build -o bin/chef-cli.exe' # Coverity build command, typically done in build stage by language or here as param 1-liner like "mvn clean install" + polaris-coverity-clean-command: 'go clean' # Coverity clean command, typically done before build stage by language or here as param 1-liner like "mvn clean" + polaris-detect-search-depth: '5' # Detect search depth, blank but can be set to "3" to search up to 3 levels of subdirectories for code to scan' + polaris-assessment-mode: 'SAST' # Assessment mode (SAST, CI or SOURCE_UPLOAD) + wait-for-scan: true + # polaris-detect-args: '' # Additional Detect arguments, can supply extra arguments like "--detect.diagnostic=true" + # coverity_build_command: "go build" + # coverity_clean_command: "go clean" + # polaris-config-path: '' # Path to Detect configuration file, typically a file supplied at root level like ./detect-config.yml + # polaris-coverity-config-path: '' # Path to Coverity configuration file, typically a file supplied at root level like ./coverity.yml + # polaris-coverity-args: '' # Additional Coverity arguments,can supply extra arguments like "--config-override capture.build.build-command=make + + # perform SonarQube scan, with or without unit test coverage data + # requires secrets SONAR_TOKEN and SONAR_HOST_URL (progress.sonar.com) + perform-sonarqube-scan: true + # perform-sonar-build: true + # build-profile: 'default' + # report-unit-test-coverage: true + perform-docker-scan: false # scan Dockerfile and built images with Docker Scout or Trivy; see repo custom properties matching "container" + + # report to central developer dashboard + report-to-atlassian-dashboard: false + quality-product-name: ${{ github.event.repository.name }} # product name for quality reporting, like Chef360, Courier, Inspec + # quality-sonar-app-name: 'YourSonarAppName' + # quality-testing-type: 'Integration' like Unit, Integration, e2e, api, Performance, Security + # quality-service-name: 'YourServiceOrRepoName' + # quality-junit-report: 'path/to/junit/report'' + + # perform Habitat-based and native packaging, publish to package repositories + package-binaries: false # Package binaries (e.g., RPM, DEB, MSI, dpkg + signing + SHA) + habitat-build: false # Create Habitat packages + publish-habitat-packages: false # Publish Habitat packages to Builder + publish-habitat-hab_package: false # Chef Habitat package to install (e.g., core/nginx) + publish-habitat-hab_version: "1.0.0" # Chef Habitat package version (optional) + publish-habitat-hab_release: "20240101010101" # Chef Habitat package release (optional) + publish-habitat-hab_channel: "stable" # Chef Habitat package channel (e.g., stable, base, base-2025); default is stable + publish-habitat-hab_auth_token: "" # Chef Habitat Builder authentication token (uses secret if not provided) + publish-habitat-runner_os: "ubuntu-latest" # OS runner for Habitat package publishing job, can also be windows-latest + habitat-grype-scan: false # Scan built Habitat packages with Grype for vulnerabilities + publish-packages: false # Publish packages (e.g., container from Dockerfile to ECR, go-releaser binary to releases page, omnibus to artifactory, gems, choco, homebrew, other app stores) + + # generate and export Software Bill of Materials (SBOM) in various formats + generate-sbom: true + export-github-sbom: true # SPDX JSON artifact on job instance + generate-msft-sbom: false + license_scout: false # Run license scout for license compliance (uses .license_scout.yml) + + # perform Blackduck software composition analysis (SCA) for 3rd party CVEs, licensing, and operational risk + perform-blackduck-sca-scan: true # combined with generate sbom & generate github-sbom, also needs version above + blackduck-project-group-name: 'Chef-Agents' # typically one of (Chef), Chef-Agents, Chef-Automate, Chef-Chef360, Chef-Habitat, Chef-Infrastructure-Server, Chef-Shared-Services, Chef-Non-Product' + blackduck-project-name: ${{ github.event.repository.name }} # BlackDuck project name, typically the repository name + + run-bundle-install: true + + # udf1: 'default' # user defined flag 1 + # udf2: 'default' # user defined flag 2 + # udf3: 'default' # user defined flag 3 \ No newline at end of file