diff --git a/.github/workflows/build-recommendation-object.yml b/.github/workflows/build-recommendation-object.yml
index 16d6ee4e..5d5bb435 100644
--- a/.github/workflows/build-recommendation-object.yml
+++ b/.github/workflows/build-recommendation-object.yml
@@ -3,28 +3,54 @@ name: Nightly Recommendation Object Build
on:
schedule:
- cron: "0 0 * * *"
-
-permissions:
- contents: write
+ workflow_dispatch: {}
jobs:
build:
runs-on: ubuntu-latest
-
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Checkout repository
- uses: actions/checkout@v4.2.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
ref: main
+ - name: Configure Git
+ run: |
+ git config --global user.name 'github-actions[bot]'
+ git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+ shell: bash
+
+ - name: Create and Switch to New Branch
+ run: |
+ git checkout -b json-object-update
+ shell: bash
+
- name: Run Recommendation Object Builder
run: |
pwsh .github/scripts/build-recommendation-object.ps1
- name: Commit and push changes
run: |
- git config --global user.name 'github-actions[bot]'
- git config --global user.email 'github-actions[bot]@users.noreply.github.com'
git add ./tools/data/recommendations.json
git commit -m "Update recommendations.json"
git push
+
+ - name: Create PR
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ gh pr create --title "chore: Update APRL JSON Object" --body "This PR updates the single JSON object for all APRL recommendations." --base main --head json-object-update
+ shell: bash
+
+ - name: Merge PR
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ pr_number=$(gh pr list --state open --limit 1 --json number --jq '.[0].number')
+ gh pr merge $pr_number --merge
+ shell: bash
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index f217c9ef..30f6a8da 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -11,22 +11,26 @@ on:
permissions:
contents: read
packages: read
- # To report GitHub Actions status checks
- statuses: write
jobs:
lint:
+ permissions:
+ statuses: write
name: Lint code base
runs-on: ubuntu-latest
-
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Checkout code
- uses: actions/checkout@v4.2.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
fetch-depth: 0
- name: Run github/super-linter
- uses: github/super-linter@v7
+ uses: github/super-linter@b807e99ddd37e444d189cfd2c2ca1274d8ae8ef1 # v7
env:
VALIDATE_ALL_CODEBASE: false
# Need to define main branch as default is set to master in super-linter
@@ -46,15 +50,19 @@ jobs:
markdown_link_check:
name: Markdown Link Check
runs-on: ubuntu-latest
-
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Checkout code
- uses: actions/checkout@main
+ uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # main
with:
fetch-depth: 0
- name: Check links in markdown files
- uses: gaurav-nelson/github-action-markdown-link-check@1.0.15
+ uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
with:
config-file: ".github/linters/mlc_config.json"
use-verbose-mode: "yes"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
new file mode 100644
index 00000000..2350d2af
--- /dev/null
+++ b/.github/workflows/dependency-review.yml
@@ -0,0 +1,28 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
+ - name: 'Checkout Repository'
+ uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
diff --git a/.github/workflows/hugo-build-pr-check.yml b/.github/workflows/hugo-build-pr-check.yml
index 806ef656..95f266e8 100644
--- a/.github/workflows/hugo-build-pr-check.yml
+++ b/.github/workflows/hugo-build-pr-check.yml
@@ -17,21 +17,25 @@ on:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
- pages: write
- id-token: write
-
# Default to bash
defaults:
run:
shell: bash
jobs:
- # Build PR job
buildpr:
+ permissions:
+ pages: write
+ id-token: write
runs-on: ubuntu-latest
env:
HUGO_VERSION: 0.124.1
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Install Hugo CLI
run: |
wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
@@ -41,14 +45,14 @@ jobs:
run: sudo snap install dart-sass-embedded
- name: Checkout
- uses: actions/checkout@v4.2.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
submodules: recursive
fetch-depth: 0
- name: Setup Pages
id: pages
- uses: actions/configure-pages@v5
+ uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- name: Install Node.js dependencies
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
diff --git a/.github/workflows/hugo-site-build.yml b/.github/workflows/hugo-site-build.yml
index dc453f62..08fa3147 100644
--- a/.github/workflows/hugo-site-build.yml
+++ b/.github/workflows/hugo-site-build.yml
@@ -20,11 +20,8 @@ on:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch: {}
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
- pages: write
- id-token: write
# Allow one concurrent deployment
concurrency:
@@ -43,6 +40,11 @@ jobs:
env:
HUGO_VERSION: 0.124.1
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Install Hugo CLI
run: |
wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
@@ -52,19 +54,19 @@ jobs:
run: sudo snap install dart-sass-embedded
- name: Checkout
- uses: actions/checkout@v4.2.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
submodules: recursive
fetch-depth: 0
- name: Setup Python
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: "3.12" # install the python version needed
- name: Setup Pages
id: pages
- uses: actions/configure-pages@v5
+ uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
- name: Install Node.js dependencies
run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
@@ -82,12 +84,15 @@ jobs:
working-directory: .
- name: Upload artifact
- uses: actions/upload-pages-artifact@v3
+ uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
with:
path: ./public
# Deployment job
deploy:
+ permissions:
+ pages: write
+ id-token: write
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
@@ -95,6 +100,11 @@ jobs:
needs: build
if: github.ref == 'refs/heads/main'
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Deploy to GitHub Pages
id: deployment
- uses: actions/deploy-pages@v4
+ uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
index 8653fa4e..612ab631 100644
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -7,11 +7,22 @@ on:
- edited
- synchronize
+permissions:
+ contents: read
+
jobs:
main:
+ permissions:
+ pull-requests: read # for amannn/action-semantic-pull-request to analyze PRs
+ statuses: write # for amannn/action-semantic-pull-request to mark status of analyzed PR
name: Validate PR Title
runs-on: ubuntu-latest
steps:
- - uses: amannn/action-semantic-pull-request@v5
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
+ - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index ee1de129..01b45ade 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -1,20 +1,13 @@
-# This workflow uses actions that are not certified by GitHub. They are provided
-# by a third-party and are governed by separate terms of service, privacy
-# policy, and support documentation.
-
-name: Scorecard supply-chain security
+name: Scorecard analysis workflow
on:
- # For Branch-Protection check. Only the default branch is supported. See
- # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
- branch_protection_rule:
- # To guarantee Maintained check is occasionally updated. See
- # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
- schedule:
- - cron: '20 1 * * 4'
push:
- branches: [ "main" ]
+ # Only the default branch is supported.
+ branches:
+ - main
+ schedule:
+ # Weekly on Saturdays.
+ - cron: '30 1 * * 6'
-# Declare default permissions as read only.
permissions: read-all
jobs:
@@ -22,17 +15,18 @@ jobs:
name: Scorecard analysis
runs-on: ubuntu-latest
permissions:
- # Needed to upload the results to code-scanning dashboard.
+ # Needed for Code scanning upload
security-events: write
- # Needed to publish results and get a badge (see publish_results below).
+ # Needed for GitHub OIDC token if publish_results is true
id-token: write
- # Uncomment the permissions below if installing in a private repository.
- # contents: read
- # actions: read
-
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: "Checkout code"
- uses: actions/checkout@6b42224f41ee5dfe5395e27c8b2746f1f9955030 # v2.7.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
with:
persist-credentials: false
@@ -41,23 +35,16 @@ jobs:
with:
results_file: results.sarif
results_format: sarif
- # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
- # - you want to enable the Branch-Protection check on a *public* repository, or
- # - you are installing Scorecard on a *private* repository
- # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
- repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
- # Public repositories:
- # - Publish results to OpenSSF REST API for easy access by consumers
- # - Allows the repository to include the Scorecard badge.
- # - See https://github.com/ossf/scorecard-action#publishing-results.
- # For private repositories:
- # - `publish_results` will always be set to `false`, regardless
- # of the value entered here.
+ # Scorecard team runs a weekly scan of public GitHub repos,
+ # see https://github.com/ossf/scorecard#public-data.
+ # Setting `publish_results: true` helps us scale by leveraging your workflow to
+ # extract the results instead of relying on our own infrastructure to run scans.
+ # And it's free for you!
publish_results: true
- # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
- # format to the repository Actions tab.
+ # Upload the results as artifacts (optional). Commenting out will disable
+ # uploads of run results in SARIF format to the repository Actions tab.
+ # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
- name: "Upload artifact"
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
diff --git a/.github/workflows/validate-queries.yml b/.github/workflows/validate-queries.yml
index 8fc4d132..5d311ed5 100644
--- a/.github/workflows/validate-queries.yml
+++ b/.github/workflows/validate-queries.yml
@@ -15,11 +15,12 @@ on:
workflow_dispatch: {}
permissions:
- id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
kql_file_check:
+ permissions:
+ id-token: write # This is required for requesting the JWT
runs-on: ubuntu-latest
if: |
(
@@ -41,11 +42,16 @@ jobs:
)
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Checkout repository
- uses: actions/checkout@v4.2.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Azure login (OIDC)
- uses: azure/login@v2
+ uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
if:
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
diff --git a/.github/workflows/validate-recommendations.yml b/.github/workflows/validate-recommendations.yml
index 4a2ef000..e5eec779 100644
--- a/.github/workflows/validate-recommendations.yml
+++ b/.github/workflows/validate-recommendations.yml
@@ -9,15 +9,23 @@ on:
- '**/*.yaml'
workflow_dispatch: {}
+permissions:
+ contents: read
+
jobs:
yaml_file_check:
runs-on: ubuntu-latest
steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ with:
+ egress-policy: audit
+
- name: Checkout repository
- uses: actions/checkout@v4.2.0
+ uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
- name: Set up Python 3.x
- uses: actions/setup-python@v5
+ uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
with:
python-version: 3.x
diff --git a/CODEOWNERS b/CODEOWNERS
index 41c83768..53b16ad7 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,9 +1,7 @@
# The aprl-maintainers team is responsible for reviewing and merging all PRs
-
* @Azure/aprl-maintainers
## The aprl-networking team is partially responsible for all networking-related PRs
-
azure-resources/Cdn @Azure/aprl-maintainers @Azure/aprl-networking
azure-resources/Network @Azure/aprl-maintainers @Azure/aprl-networking
azure-resources/NetworkCloud @Azure/aprl-maintainers @Azure/aprl-networking
@@ -12,19 +10,28 @@ azure-resources/Peerings @Azure/aprl-maintainers @Azure/aprl-networking
azure-resources/Relay @Azure/aprl-maintainers @Azure/aprl-networking
## The aprl-sap team is partially responsible for all SAP-related PRs
-
azure-specialized-workloads/sap @Azure/aprl-maintainers @Azure/aprl-sap
## The aprl-hpc team is partially responsible for all HPC-related PRs
-
azure-resources/Batch @Azure/aprl-maintainers @Azure/aprl-hpc
azure-specialized-workloads/hpc @Azure/aprl-maintainers @Azure/aprl-hpc
## The aprl-avd team is partially responsible for all AVD-related PRs
-
azure-resources/DesktopVirtualization @Azure/aprl-maintainers @Azure/aprl-avd
azure-specialized-workloads/avd @Azure/aprl-maintainers @Azure/aprl-avd
-## The aprl-wara-tools team is responsible for all WARA tools-related PRs
-
+## The aprl-wara-tools team is partially responsible for all WARA tools-related PRs
tools @Azure/aprl-wara-tools
+
+## The aprl-cosmosdb team is responsible for all CosmosDB-related PRs
+azure-resources/DocumentDB/databaseAccounts @Azure/aprl-maintainers @Azure/aprl-cosmosdb
+
+## The aprl-mysql team is responsible for all MySQL-related PRs
+azure-resources/DBforMySQL @Azure/aprl-maintainers @Azure/aprl-mysql
+
+## The aprl-postgres team is responsible for all PostgreSQL-related PRs
+azure-resources/DBforPostgreSQL @Azure/aprl-maintainers @Azure/aprl-postgres
+
+## The aprl-sql team is responsible for all SQL-related PRs
+azure-resources/SQL @Azure/aprl-maintainers @Azure/aprl-sql
+azure-resources/SQLVirtualMachines @Azure/aprl-maintainers @Azure/aprl-sql
diff --git a/azure-resources/DBforPostgreSQL/flexibleServers/kql/2ab85a67-26be-4ed2-a0bb-101b2513ec63.kql b/azure-resources/DBforPostgreSQL/flexibleServers/kql/2ab85a67-26be-4ed2-a0bb-101b2513ec63.kql
index 958d98ac..237d4c9f 100644
--- a/azure-resources/DBforPostgreSQL/flexibleServers/kql/2ab85a67-26be-4ed2-a0bb-101b2513ec63.kql
+++ b/azure-resources/DBforPostgreSQL/flexibleServers/kql/2ab85a67-26be-4ed2-a0bb-101b2513ec63.kql
@@ -1,6 +1,8 @@
// Azure Resource Graph Query
-// Find Database for PostgreSQL instances that are read replicas
+// Find Database for PostgreSQL instances that do not have read replicas
resources
-| where type == "microsoft.dbforpostgresql/flexibleservers"
-| where properties.replicationRole == "AsyncReplica"
-| project recommendationId = "2ab85a67-26be-4ed2-a0bb-101b2513ec63", name, id, tags, param1 = strcat("replicationRole:", properties['replicationRole'])
+| where type == "microsoft.dbforpostgresql/flexibleservers" and properties.replicationRole == "AsyncReplica"
+| project replicaServerId = id, id = tostring(properties.sourceServerResourceId)
+| join kind=fullouter (resources | where type == "microsoft.dbforpostgresql/flexibleservers" and properties.replicationRole != "AsyncReplica") on id
+| where isempty(replicaServerId)
+| project recommendationId = "2ab85a67-26be-4ed2-a0bb-101b2513ec63", name, id = id1, tags, param1 = strcat("replicationRole:", properties['replicationRole'])
diff --git a/docs/layouts/shortcodes/azure-resources-recommendationlist.html b/docs/layouts/shortcodes/azure-resources-recommendationlist.html
index 8f4c1f71..c959a7d9 100644
--- a/docs/layouts/shortcodes/azure-resources-recommendationlist.html
+++ b/docs/layouts/shortcodes/azure-resources-recommendationlist.html
@@ -15,7 +15,6 @@ Summary
Impact |
Category |
Automation Available |
- PG Verified |
{{ range sort .recommendations "recommendation" "asc" }}
@@ -27,7 +26,6 @@ Summary
{{ .recommendationImpact }} |
{{ .recommendationControl }} |
{{ if eq .automationAvailable true }}Yes{{ else }}No{{ end }} |
- {{ if eq .pgVerified true }}Verified{{ else }}Preview{{ end }} |
{{ end }} {{ end }}
@@ -62,9 +60,6 @@
Category:
{{ .recommendationControl }}
- PG Verified:
- {{ if eq .pgVerified true }}Verified{{ else }}Preview{{ end }}
-
diff --git a/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html b/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html
index e418e9f2..c73ae6fb 100644
--- a/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html
+++ b/docs/layouts/shortcodes/azure-specialized-workloads-recommendationlist.html
@@ -15,7 +15,6 @@ Summary
Impact |
Category |
Automation Available |
- PG Verified |
{{ range sort .recommendations "recommendation" "asc" }}
@@ -27,7 +26,6 @@ Summary
{{ .recommendationImpact }} |
{{ .recommendationControl }} |
{{ if eq .automationAvailable true }}Yes{{ else }}No{{ end }} |
- {{ if eq .pgVerified true }}Verified{{ else }}Preview{{ end }} |
{{ end }} {{ end }}
@@ -62,9 +60,6 @@
Category:
{{ .recommendationControl }}
- PG Verified:
- {{ if eq .pgVerified true }}Verified{{ else }}Preview{{ end }}
-
diff --git a/docs/layouts/shortcodes/azure-waf-recommendationlist.html b/docs/layouts/shortcodes/azure-waf-recommendationlist.html
index 56260940..463ca33c 100644
--- a/docs/layouts/shortcodes/azure-waf-recommendationlist.html
+++ b/docs/layouts/shortcodes/azure-waf-recommendationlist.html
@@ -14,7 +14,6 @@ Summary
Recommendation |
Impact |
Category |
- PG Verified |
{{ range sort .recommendations "recommendation" "asc" }}
@@ -25,7 +24,6 @@ Summary
{{ .recommendationImpact }} |
{{ .recommendationControl }} |
- {{ if eq .pgVerified true }}Verified{{ else }}Preview{{ end }} |
{{ end }} {{ end }}
@@ -60,9 +58,6 @@
Category:
{{ .recommendationControl }}
- PG Verified:
- {{ if eq .pgVerified true }}Verified{{ else }}Preview{{ end }}
-