From c49ce13c8927e5a942662f842c66cbc17b37ad62 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Wed, 7 Jan 2026 09:45:44 -0500 Subject: [PATCH 1/8] Configure CodeQL and License Header checks, remove projects folder --- .github/workflows/codeql.yml | 62 +++++++++++++++++++++++++++++ .github/workflows/license_check.yml | 53 ++++++++++++++++++++++++ IT/place_holder.md | 0 Sales/place_holder.md | 0 Services/place_holder.md | 0 Support_Success/place_holder.md | 0 it/readme.md | 1 + projects/README.md | 3 -- sales/readme.md | 1 + services/readme.md | 1 + support/readme.md | 1 + 11 files changed, 119 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/license_check.yml delete mode 100644 IT/place_holder.md delete mode 100644 Sales/place_holder.md delete mode 100644 Services/place_holder.md delete mode 100644 Support_Success/place_holder.md create mode 100644 it/readme.md delete mode 100644 projects/README.md create mode 100644 sales/readme.md create mode 100644 services/readme.md create mode 100644 support/readme.md diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..47af4cf --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,62 @@ +name: "CodeQL" + +on: + push: + branches: [ "main", "master" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main", "master" ] + schedule: + - cron: '39 5 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go', 'python', 'swift' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml new file mode 100644 index 0000000..2c06a94 --- /dev/null +++ b/.github/workflows/license_check.yml @@ -0,0 +1,53 @@ +name: License Header Check + +on: + pull_request: + push: + branches: [ "main", "master" ] + +jobs: + check-license: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Check for License Headers + run: | + failed=0 + # Find files: .sh, .go, .swift, .py + # Exclude hidden directories/files (like inside .git) + files=$(find . -type f \( -name "*.sh" -o -name "*.go" -o -name "*.swift" -o -name "*.py" \) -not -path '*/.*') + + for file in $files; do + missing_reqs=0 + + # Requirement 1: A line with both "Copyright" and "Jamf" + # We grep for Copyright, then pipe to grep for Jamf to ensure they are on the same line. + if ! grep "Copyright" "$file" | grep -q "Jamf"; then + echo "::error file=$file::Missing 'Copyright' and 'Jamf' on the same line." + missing_reqs=1 + fi + + # Requirement 2: Specific license string + if ! grep -Fq "This work is licensed under the terms of the Jamf Source Available License" "$file"; then + echo "::error file=$file::Missing 'This work is licensed under the terms of the Jamf Source Available License'" + missing_reqs=1 + fi + + # Requirement 3: License URL + if ! grep -Fq "https://github.com/jamf/scripts/blob/main/LICENCE.md" "$file"; then + echo "::error file=$file::Missing 'https://github.com/jamf/scripts/blob/main/LICENCE.md'" + missing_reqs=1 + fi + + if [ $missing_reqs -eq 1 ]; then + failed=1 + fi + done + + if [ $failed -eq 1 ]; then + echo "One or more files are missing required license headers." + exit 1 + else + echo "All scanned files contain the required license headers." + fi diff --git a/IT/place_holder.md b/IT/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Sales/place_holder.md b/Sales/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Services/place_holder.md b/Services/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/Support_Success/place_holder.md b/Support_Success/place_holder.md deleted file mode 100644 index e69de29..0000000 diff --git a/it/readme.md b/it/readme.md new file mode 100644 index 0000000..9eb00a2 --- /dev/null +++ b/it/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's IT team diff --git a/projects/README.md b/projects/README.md deleted file mode 100644 index f771914..0000000 --- a/projects/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## Projects - -This folder contains a variety of projects related to Jamf's products. Please refer to the readme in each folder for more details. diff --git a/sales/readme.md b/sales/readme.md new file mode 100644 index 0000000..7081291 --- /dev/null +++ b/sales/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's Sales Engineering and Consulting Engineers department diff --git a/services/readme.md b/services/readme.md new file mode 100644 index 0000000..20d0202 --- /dev/null +++ b/services/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's Professional Services department diff --git a/support/readme.md b/support/readme.md new file mode 100644 index 0000000..003419b --- /dev/null +++ b/support/readme.md @@ -0,0 +1 @@ +This directory contains scripts created by Jamf's Support department From f0131c8fdcd3d341a9747a4b822460644e34f1e8 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:00:48 -0500 Subject: [PATCH 2/8] Internal info in confluence --- .github/PULL_REQUEST_TEMPLATE/expectations.md | 35 +------------------ 1 file changed, 1 insertion(+), 34 deletions(-) diff --git a/.github/PULL_REQUEST_TEMPLATE/expectations.md b/.github/PULL_REQUEST_TEMPLATE/expectations.md index dc2dbe3..4a6253e 100644 --- a/.github/PULL_REQUEST_TEMPLATE/expectations.md +++ b/.github/PULL_REQUEST_TEMPLATE/expectations.md @@ -1,36 +1,3 @@ # Script Expectations -## Authors - -### ✔ Code Quality -- Code is readable and follows established style -- Naming is meaningful and consistent -- Has enough comments to be easily understood -- No dead or commented-out code -- Anticipates where mistakes might be made and protects against it - -### ✔ Security -- Inputs are validated and sanitized -- Secrets are handled securely -- Dependencies reviewed - -### ✔ Testing -- Code has been tested and anticipates realistic real-world conditions - -### ✔ Documentation -- The README (or header comments) explaining the script are up to date -- The following are clearly stated: - - Purpose - - Requirements (Compatible OS and Jamf product versions, etc.) - - Installation - - Instructions for use - -## Reviewers - -By approving a Pull Request, you acknowledge that the work: - -- Will be owned and actively maintained by your department -- Will be removed if if becomes obsolete -- Does no exceed the acceptable scope of the OSS policy -- The Jamf Copyright and Source Available license text is included -- Does not use or expose any non-public IP +Please review the release checklist in Confluence prior to submitting a pull request. From ba2e5c1d8cd306a1f20dc7aed5c068bd83674160 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:01:05 -0500 Subject: [PATCH 3/8] auto language detection on codeql --- .github/workflows/codeql.yml | 75 +++++++++++++++--------------------- 1 file changed, 30 insertions(+), 45 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 47af4cf..e5c8579 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,11 +1,19 @@ -name: "CodeQL" +# .github/workflows/codeql.yml +name: CodeQL on: push: - branches: [ "main", "master" ] + branches: ["main", "master"] + paths-ignore: + - '**/*.md' + - 'docs/**' + - '.github/**' pull_request: - # The branches below must be a subset of the branches above - branches: [ "main", "master" ] + branches: ["main", "master"] + paths-ignore: + - '**/*.md' + - 'docs/**' + - '.github/**' schedule: - cron: '39 5 * * 5' @@ -18,45 +26,22 @@ jobs: contents: read security-events: write - strategy: - fail-fast: false - matrix: - language: [ 'go', 'python', 'swift' ] - # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" + - name: Checkout repository + uses: actions/checkout@v4 + + # Initialize CodeQL with automatic language detection + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: auto + # Optionally enable broader query sets: + # queries: security-extended,security-and-quality + + # Autobuild attempts to build compiled languages when detected + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + continue-on-error: true + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 From 5c4d1c40be2434cc2f79da51e7b81d34823a9ec7 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 09:55:57 -0500 Subject: [PATCH 4/8] Update codeowners paths --- CODEOWNERS | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 84898fa..571dbd8 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,5 +1,5 @@ -* @BIG-RAT @seposium +* @BIG-RAT @seposium -/IT/ @emily-at-jamf -/Services/ @Penning87 -/Support_Success/ @klngbl @nickander \ No newline at end of file +/it/ @emily-at-jamf +/services/ @Penning87 +/support/ @klngbl @nickander \ No newline at end of file From 35b200bd874d3748dbb62ae2b08b32b361c98811 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 10:01:16 -0500 Subject: [PATCH 5/8] Update codeQL from v3 to v4 --- .github/workflows/codeql.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e5c8579..e073951 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,4 +1,3 @@ -# .github/workflows/codeql.yml name: CodeQL on: @@ -30,18 +29,17 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - # Initialize CodeQL with automatic language detection + # Initialize CodeQL with auto language detection (v4) - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@v4 with: languages: auto - # Optionally enable broader query sets: - # queries: security-extended,security-and-quality - # Autobuild attempts to build compiled languages when detected + # Autobuild attempts to build compiled languages; continue on error for script-only repos - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@v4 continue-on-error: true + # Perform the CodeQL analysis - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@v4 From ca8e741c85b9a674037a9afc943d8cbeed794b88 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 10:08:15 -0500 Subject: [PATCH 6/8] Update codeql.yml --- .github/workflows/codeql.yml | 59 +++++++++++++++++++++--------------- 1 file changed, 35 insertions(+), 24 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e073951..abd8c6c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -2,44 +2,55 @@ name: CodeQL on: push: - branches: ["main", "master"] - paths-ignore: - - '**/*.md' - - 'docs/**' - - '.github/**' + branches: [main] pull_request: - branches: ["main", "master"] - paths-ignore: - - '**/*.md' - - 'docs/**' - - '.github/**' - schedule: - - cron: '39 5 * * 5' + # Analyze PRs targeting main + branches: [main] jobs: - analyze: + codeql: name: Analyze runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - steps: - name: Checkout repository uses: actions/checkout@v4 - # Initialize CodeQL with auto language detection (v4) + # Step 1: detect which languages exist in the repo + - name: Detect supported languages + id: detect + run: | + SUPPORTED_LANGS="python javascript cpp csharp java go ruby php" + DETECTED="" + for lang in $SUPPORTED_LANGS; do + case "$lang" in + python) EXT="py";; + javascript) EXT="js ts";; + cpp) EXT="c cpp c++ h hpp";; + csharp) EXT="cs";; + java) EXT="java";; + go) EXT="go";; + ruby) EXT="rb";; + php) EXT="php";; + esac + if git ls-files "*.$EXT" | grep -q .; then + DETECTED="$DETECTED $lang" + fi + done + DETECTED=$(echo $DETECTED | xargs) # trim + echo "Detected languages: $DETECTED" + echo "::set-output name=langs::$DETECTED" + + # Step 2: Only run CodeQL if at least one language is found - name: Initialize CodeQL + if: steps.detect.outputs.langs != '' uses: github/codeql-action/init@v4 with: - languages: auto + languages: ${{ steps.detect.outputs.langs }} - # Autobuild attempts to build compiled languages; continue on error for script-only repos - name: Autobuild + if: steps.detect.outputs.langs != '' uses: github/codeql-action/autobuild@v4 - continue-on-error: true - # Perform the CodeQL analysis - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + if: steps.detect.outputs.langs != '' + uses: github/codeql-action/analyze@v4 \ No newline at end of file From 4bdddfee3524ff6d673aae91c0a305066a41ff37 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 10:53:10 -0500 Subject: [PATCH 7/8] Update codeql.yml --- .github/workflows/codeql.yml | 98 +++++++++++++++++++++++------------- 1 file changed, 64 insertions(+), 34 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index abd8c6c..d23639c 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,56 +1,86 @@ -name: CodeQL +name: "CodeQL Scan (PR-Incremental)" on: - push: - branches: [main] pull_request: - # Analyze PRs targeting main - branches: [main] + paths-ignore: + - '**.md' # ignore docs jobs: - codeql: - name: Analyze + detect-changes: + name: Detect PR Languages & Paths runs-on: ubuntu-latest + outputs: + langs: ${{ steps.detect.outputs.langs }} + paths: ${{ steps.detect.outputs.paths }} steps: - - name: Checkout repository + - name: Checkout PR uses: actions/checkout@v4 - # Step 1: detect which languages exist in the repo - - name: Detect supported languages + - name: Detect changed languages and folders id: detect run: | SUPPORTED_LANGS="python javascript cpp csharp java go ruby php" - DETECTED="" + declare -A EXTENSIONS + EXTENSIONS=( + [python]="py" + [javascript]="js ts" + [csharp]="cs" + [go]="go" + [ruby]="rb" + [php]="php" + ) + + DETECTED_LANGS="" + DETECTED_PATHS="" + + # List changed files in the PR + CHANGED_FILES=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }}) + for lang in $SUPPORTED_LANGS; do - case "$lang" in - python) EXT="py";; - javascript) EXT="js ts";; - cpp) EXT="c cpp c++ h hpp";; - csharp) EXT="cs";; - java) EXT="java";; - go) EXT="go";; - ruby) EXT="rb";; - php) EXT="php";; - esac - if git ls-files "*.$EXT" | grep -q .; then - DETECTED="$DETECTED $lang" - fi + for ext in ${EXTENSIONS[$lang]}; do + if echo "$CHANGED_FILES" | grep -E "\.${ext}$" >/dev/null; then + DETECTED_LANGS="$DETECTED_LANGS $lang" + break + fi + done done - DETECTED=$(echo $DETECTED | xargs) # trim - echo "Detected languages: $DETECTED" - echo "::set-output name=langs::$DETECTED" - # Step 2: Only run CodeQL if at least one language is found + # Collect directories containing changed files (for path filters) + while read -r file; do + dir=$(dirname "$file") + DETECTED_PATHS="$DETECTED_PATHS $dir" + done <<< "$CHANGED_FILES" + + DETECTED_LANGS=$(echo $DETECTED_LANGS | xargs) # trim + DETECTED_PATHS=$(echo $DETECTED_PATHS | xargs | tr ' ' ',') # comma-separated + + echo "Languages detected: $DETECTED_LANGS" + echo "Paths to analyze: $DETECTED_PATHS" + + echo "langs=$DETECTED_LANGS" >> $GITHUB_OUTPUT + echo "paths=$DETECTED_PATHS" >> $GITHUB_OUTPUT + + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + needs: detect-changes + if: needs.detect-changes.outputs.langs != '' + steps: + - name: Checkout PR + uses: actions/checkout@v4 + - name: Initialize CodeQL - if: steps.detect.outputs.langs != '' uses: github/codeql-action/init@v4 with: - languages: ${{ steps.detect.outputs.langs }} + languages: ${{ needs.detect-changes.outputs.langs }} + token: ${{ secrets.GITHUB_TOKEN }} + debug: true + paths: ${{ needs.detect-changes.outputs.paths }} - - name: Autobuild - if: steps.detect.outputs.langs != '' - uses: github/codeql-action/autobuild@v4 + - name: Build (if necessary) + run: | + # Add build commands here for compiled languages + echo "Build step (optional)" - name: Perform CodeQL Analysis - if: steps.detect.outputs.langs != '' uses: github/codeql-action/analyze@v4 \ No newline at end of file From b67eed856a2e17d694d4728aaec4c4a7ff30f1c0 Mon Sep 17 00:00:00 2001 From: macnotes <25835285+macnotes@users.noreply.github.com> Date: Thu, 8 Jan 2026 11:18:46 -0500 Subject: [PATCH 8/8] Update codeql.yml --- .github/workflows/codeql.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d23639c..c65bc2a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -15,6 +15,8 @@ jobs: steps: - name: Checkout PR uses: actions/checkout@v4 + with: + fetch-depth: 0 # fetch full history - name: Detect changed languages and folders id: detect