Merge branch 'main' into checklistConverter

.eslintrc

@@ -19,7 +19,7 @@
     "no-control-regex": "off",
     "max-nested-callbacks": "off",
     "unicorn/prefer-json-parse-buffer": "off",
-    "camelcase": "off", // Camel case fields are used in CKL
+    "camelcase": "off",
     "no-console": "off",
     "node/no-missing-import": "off",
     "complexity": "off",

.github/workflows/auto-approve-and-merge.yml

@@ -10,9 +10,9 @@ jobs:
   approve:
     name: Auto-approve dependabot PRs
     if: github.event.pull_request.user.login == 'dependabot[bot]' && contains(github.event.pull_request.labels.*.name, 'dependencies')
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
-    - uses: hmarr/auto-approve-action@v2
+    - uses: hmarr/auto-approve-action@v3
       with:
         github-token: "${{ secrets.GITHUB_TOKEN }}"
     - name: Enable auto-merge for Dependabot PRs

.github/workflows/build-binary.yml

@@ -3,18 +3,20 @@ name: Build SAF-CLI Windows/Linux Installers
 on:
   push:
     branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 jobs:
   build-deploy:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
 
       - name: setup node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
           node-version: "16.x"
-          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
 
       - name: Install Nullsoft Scriptable Install System and p7zip
         run: sudo apt install nsis p7zip-full
@@ -23,28 +25,29 @@ jobs:
         run: rm -rf test
 
       - name: Install project dependencies
-        run: npm install
+        run: npm ci
 
       - name: Pack Windows Installer
-        run: yarn run oclif pack win
+        run: npx oclif pack win
 
       - name: Pack Debian Package
-        run: sudo yarn run oclif pack deb
+        run: sudo npx oclif pack deb
 
       - name: Upload SAF-CLI Windows Build x64 Artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: SAF-CLI Windows Build x64
           path: dist/win32/saf-*-x64.exe
 
       - name: Upload SAF-CLI Windows Build x86 Artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: SAF-CLI Windows Build x86
           path: dist/win32/saf-*-x86.exe
 
+      # underscore here since that's how the file is named
       - name: Upload SAF-CLI Debian x64 Artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: SAF-CLI Debian Build x64
           path: dist/deb/saf_*.deb

.github/workflows/build-macos.yml

@@ -2,31 +2,33 @@ name: Build macOS Installer
 on:
   push:
     branches: [ main ]
+  pull_request:
+    branches: [ main ]
 
 
 jobs:
   build-deploy:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@master
+      - uses: actions/checkout@v3
 
       - name: setup node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
         with:
           node-version: "16.x"
-          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
 
       - name: Install project dependencies
-        run: npm install
+        run: npm ci
 
       - name: Remove testing resources
         run: rm -rf test
 
-      - name: npm install and pack
-        run: yarn run oclif pack macos
+      - name: npm pack
+        run: npx oclif pack macos
 
       - name: Upload SAF-CLI macOS Installer Artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: SAF-CLI macOS Installer
-          path: dist/macos/saf-*.pkg
+          path: dist/macos/saf-*.pkg

.github/workflows/bump-brew.yml

@@ -1,27 +1,27 @@
 name: Bump Homebrew formula
 
 on:
-  release:
-    types: [published]
+  workflow_run:
+    workflows: ["Push SAF-CLI to NPM and GPR"]
+    types:
+      - completed
 jobs:
-  build-deploy:
+  update-formula:
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
       - name: Extract version
         id: extract-version
-        run: |
-          printf "::set-output name=tag-name::%s" "${GITHUB_REF#refs/tags/}"
+        run: echo "tag=$(git describe --abbrev=0 --tags)" >> $GITHUB_OUTPUT
       - uses: mislav/bump-homebrew-formula-action@v2
-        if: "!contains(github.ref, '-')" # skip prereleases
         with:
           formula-name: saf-cli
-          formula-path: Formula/saf-cli.rb
           homebrew-tap: mitre/homebrew-saf
-          base-branch: main
-          download-url: https://registry.npmjs.org/@mitre/saf/-/saf-${{ steps.extract-version.outputs.tag-name }}.tgz
-          commit-message: |
-            {{formulaName}} {{version}}
-
-            Created by https://github.com/mislav/bump-homebrew-formula-action
+          download-url: https://registry.npmjs.org/@mitre/saf/-/saf-${{ steps.extract-version.outputs.tag }}.tgz
+          tag-name: ${{ steps.extract-version.outputs.tag }}
         env:
-          COMMITTER_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COMMITTER_TOKEN: ${{ secrets.HOMEBREW_PAT }}

.github/workflows/codeql-analysis.yml

@@ -19,6 +19,7 @@ on:
     branches: [ main ]
   schedule:
     - cron: '27 2 * * 6'
+  workflow_dispatch:
 
 jobs:
   analyze:
@@ -38,11 +39,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -53,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -67,4 +68,14 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
+
+#     - name: CSV export
+#       uses: advanced-security/ghas-to-csv@v2
+#       env:
+#         GITHUB_PAT: ${{ secrets.SAF_GHAS_SCANNING_PAT }}
+#     - name: Upload CSV
+#       uses: actions/upload-artifact@v3
+#       with:
+#         name: ghas-data
+#         path: ${{ github.workspace }}/*.csv

.github/workflows/draft-release.yml

@@ -2,15 +2,24 @@ name: Draft Release
 
 on:
   push:
-    # branches to consider in the event; optional, defaults to all
     branches:
       - main
+  pull_request:
+    types: [opened, reopened, synchronize]
+  pull_request_target:
+    types: [opened, reopened, synchronize]
+
+permissions:
+  contents: read
 
 jobs:
   update_draft_release:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
-      - uses: toolmantim/release-drafter@v5.2.0
+      - uses: release-drafter/release-drafter@v5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/e2e-ci.yml

@@ -8,29 +8,19 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
-     - uses: actions/checkout@v2
+     - uses: actions/checkout@v3
 
      - name: Setup Node.js
-       uses: actions/setup-node@v1
+       uses: actions/setup-node@v3
        with:
         node-version: '16.x'
-
-     - name: Cache node modules
-       uses: actions/cache@v2
-       env:
-         cache-name: cache-node-modules
-       with:
-         # npm cache files are stored in `~/.npm` on Linux/macOS
-         path: ~/.npm
-         key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.lock') }}
-         restore-keys: |
-           ${{ runner.os }}-node-
+        cache: 'npm'
 
      - name: Install dependencies
-       run: npm install
+       run: npm ci
 
      - name: Prepack
        run: npm run prepack

.github/workflows/linter.yml

@@ -8,31 +8,19 @@ on:
 
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
 
     steps:
-     - uses: actions/checkout@v2
-
-     - name: Cache node modules
-       uses: actions/cache@v2
-       env:
-         cache-name: cache-node-modules
-       with:
-         # npm cache files are stored in `~/.npm` on Linux/macOS
-         path: ~/.npm
-         key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
-         restore-keys: |
-           ${{ runner.os }}-build-${{ env.cache-name }}-
-           ${{ runner.os }}-build-
-           ${{ runner.os }}-
+     - uses: actions/checkout@v3
 
      - name: Setup Node.js
-       uses: actions/setup-node@v1
+       uses: actions/setup-node@v3
        with:
         node-version: '16.x'
+        cache: 'npm'
 
      - name: Install project dependencies
-       run: yarn install --frozen-lockfile
+       run: npm ci
 
      - name: Run lint
-       run: yarn run lint:ci
+       run: npm run lint:ci

.github/workflows/push-to-docker-main.yml

@@ -4,25 +4,24 @@ on:
   push:
     branches: [ main ]
 
-
 jobs:
   docker:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
       - name: Login to DockerHub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
       - name: Checkout the SAF Repository
-        uses: actions/checkout@v2 
+        uses: actions/checkout@v3
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
-          file: Dockerfile
           push: true
+          platforms: "linux/amd64,linux/arm64"
           tags: mitre/saf:latest

.github/workflows/push-to-docker.yml

@@ -9,27 +9,27 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_TOKEN }}
+        uses: docker/setup-buildx-action@v2
       - name: Run string replace
-        uses: frabert/replace-string-action@master
+        uses: frabert/replace-string-action@v2
         id: format-tag
         with:
           pattern: 'v'
           string: "${{ github.event.release.tag_name }}"
           replace-with: ''
           flags: 'g'
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
       - name: Checkout the SAF Repository
-        uses: actions/checkout@v2 
+        uses: actions/checkout@v3
       - name: Build and push
         id: docker_build
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           context: .
-          file: Dockerfile
           push: true
-          tags: mitre/saf:release-latest,mitre/saf:${{ steps.format-tag.outputs.replaced }},mitre/saf:v1
+          platforms: "linux/amd64,linux/arm64"
+          tags: mitre/saf:release-latest,mitre/saf:${{ steps.format-tag.outputs.replaced }},mitre/saf:v1