Skip to content

updated security.md to latest version as per HHS#1579

Open
purnesh-cit wants to merge 334 commits into
microsoft:mainfrom
NIHGOV:purnesh-cit-patch-1
Open

updated security.md to latest version as per HHS#1579
purnesh-cit wants to merge 334 commits into
microsoft:mainfrom
NIHGOV:purnesh-cit-patch-1

Conversation

@purnesh-cit

@purnesh-cit purnesh-cit commented Jun 23, 2026

Copy link
Copy Markdown

No description provided.

petersonjdNIH and others added 30 commits November 2, 2022 10:17
@petersonjdNIH
Merge pull request #112 from NIHGOV/update-main
3e9ec05 
Add workflow to create ACR image.
fixing typo in Dockerfile
ba37d39
fixes org login slug string
b161969
@petersonjdNIH
Merge pull request #107 from NIHGOV/DevOptimusPrime-patch-psscript
9bdfb9b 
fix quoting for id field
@DevOptimusPrime
Update staging_create_acr_image.yml
1431e99
@DevOptimusPrime
Merge pull request #114 from NIHGOV/DevOptimusPrime-patch-1
43e2737 
Update staging_create_acr_image.yml
@DevOptimusPrime
Update staging_create_acr_image.yml
95c4e32
add env var to pug file to surface company name
466b28e
fix inline color of top nav
4d8e933
add styling overrides to css
6e7e917
add new language and links to top nav
045a082
add padding to top nav
494f340
remove text from footer
a0f5030
@petersonjdNIH
Merge pull request #119 from NIHGOV/devoptimusprime-branding-enhancem…
b3fe0b2 
…ents

Devoptimusprime branding enhancements
add serviceBus email feature
2292d59
fix missing file
db39bfe
@petersonjdNIH
Merge pull request #123 from NIHGOV/devoptimusprime-azureBus-emails
5723149 
Devoptimusprime azure bus emails
@petersonjdNIH
Merge pull request #124 from NIHGOV/staging
72aedc8 
Staging
@DevOptimusPrime
Update main_nihgithubportal.yml
a87c2ac
@DevOptimusPrime
Create main_create_acr_image.yaml
6eb8bc2
@petersonjdNIH
Merge pull request #125 from NIHGOV/DevOptimusPrime-add-steps-to-main-wf
68bf549 
Update main_nihgithubportal.yml
@petersonjdNIH
Merge pull request #126 from NIHGOV/DevOptimusPrime-add-main-acr-wf
dce57a3 
Create main_create_acr_image.yaml
@petersonjdNIH
Initial email styling changes
13a9607
@DevOptimusPrime
Update staging_create_acr_image.yml
245b0d2 
Removes dynamic env-orgs.json creation so that staging always uses a smaller set of orgs
@DevOptimusPrime
Update staging_nihdevgithubportal.yml
96ea100
@DevOptimusPrime
Merge pull request #127 from NIHGOV/jp-email
c430e8c 
Initial email styling changes
@petersonjdNIH
Styled Email CSS for NIH
d18415c
@DevOptimusPrime
Merge pull request #129 from NIHGOV/jp-email
bf07fb3 
Styled Email CSS for NIH
@petersonjdNIH
Merge pull request #130 from NIHGOV/staging
a773dcf 
Staging
@garnertb
Bump action dependencies.
c648388
furniturewalatkNIH and others added 29 commits December 3, 2024 19:32
@furniturewalatkNIH
Merge pull request #714 from NIHGOV/staging
7e4f46a 
Update package.json to address Dependabot High alerts
@petersonjdNIH
feat: ACI container deployment workflows and infra reference configs
4782350 
Add GitHub Actions workflows to deploy/recreate ACI container groups
for both staging and production environments, and infra reference YAMLs.

Workflows:
- staging_nihdevgithubportalfh.yml  (firehose, daily 01:00 UTC + manual)
- staging_nihdevgithubportalcb.yml  (cache builder, every 6h + manual)
- main_nihgithubportalfh.yml        (prod firehose, manual)
- main_nihgithubportalcb.yml        (prod cache builder, manual)

Fixes:
- Correct job command paths (jobs/firehose.js, jobs/refreshQueryCache.js)
- Correct env var assignment: GITHUB_APP_OPERATIONS_KEY carries the PEM
- All credentials sourced from GitHub Secrets (no hardcoded values)

Infra reference configs in infra/aci/ document the container structure.
@petersonjdNIH @github-advanced-security
Potential fix for pull request finding 'CodeQL / Workflow does not co…
5728002 
…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@petersonjdNIH @github-advanced-security
Potential fix for pull request finding 'CodeQL / Workflow does not co…
e46b8f5 
…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@petersonjdNIH @github-advanced-security
Potential fix for pull request finding 'CodeQL / Workflow does not co…
d0eda35 
…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@petersonjdNIH @github-advanced-security
Potential fix for pull request finding 'CodeQL / Workflow does not co…
385d3ef 
…ntain permissions'

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@petersonjdNIH
Merge pull request #1114 from NIHGOV/aci-workflows-main
e587c37 
feat: ACI container deployment workflows and infra reference configs
@petersonjdNIH
fix: switch ACI workflows to OIDC federated auth
fb4b9de 
Replace service principal client secret with OIDC federated credential
(client-id + tenant-id + subscription-id). Evergreen — no secret expiry.
@petersonjdNIH
Merge pull request #1115 from NIHGOV/fix-oidc-workflows
ab78cd0 
fix: switch ACI workflows to OIDC federated auth
@petersonjdNIH
fix: correct az container create flags
8f7c679
@petersonjdNIH
Merge pull request #1116 from NIHGOV/fix-oidc-workflows
2dc2f98 
Fix az container create command flags
@petersonjdNIH
fix: remove --tags from az container create (unsupported flag)
035d5a1
@petersonjdNIH
fix: restore --tags, move before --environment-variables to avoid CLI…
dcf874f 
… parse issue
@petersonjdNIH
Merge pull request #1117 from NIHGOV/fix-oidc-workflows
1f34729 
Fix --tags flag handling in az container create command
@petersonjdNIH
fix: remove --tags, not supported by az container create
d98a1ec
@petersonjdNIH
Merge pull request #1118 from NIHGOV/fix-oidc-workflows
af19fe7 
fix: remove --tags, not supported by az container create
@petersonjdNIH
feat: Terraform workflow and dev infra for log analytics workspace
f5cb0b7
@petersonjdNIH
Merge pull request #1121 from NIHGOV/fix-oidc-workflows
2a34e1d 
feat: Terraform workflow and dev infra for log analytics workspace
@petersonjdNIH
ci: migrate all workflows to OIDC; add prod ACR build; auto-deploy AC…
2427c1b 
…Is on image push

- staging_create_acr_image.yml: replace docker/login-action (user/pass) with
  azure/login OIDC + az acr login; add permissions block
- main_create_acr_image.yml: new workflow mirroring staging for main→prod ACR
- staging/main ACI workflows: remove schedule triggers; add workflow_run trigger
  so ACI redeploys on new image push; add success guard; replace
  DEV/PROD_REGISTRY_USER/PASS secrets with az acr credential show at runtime
- staging_nihdevgithubportal.yml + main_nihgithubportal.yml: replace
  publish-profile secrets with azure/login OIDC in deploy job
- PLAN.md: add GitHub Actions Secret Reduction section; record decisions

Secrets that can now be deleted:
  DEV_REGISTRY_USER, DEV_REGISTRY_PASS,
  PROD_REGISTRY_USER, PROD_REGISTRY_PASS,
  AZUREAPPSERVICE_PUBLISHPROFILE_34824FEBDA0F4C8CACF5CB97111CBFFB,
  AZUREAPPSERVICE_PUBLISHPROFILE_990190F22A5149AC859307273BAE196C
@petersonjdNIH
ci: delete unused container.yml workflow
384a0fe 
Was generating Problems tab noise; all its steps were commented out or
guarded to microsoft/opensource-management-portal only. Replaced by
staging_create_acr_image.yml and main_create_acr_image.yml.
@petersonjdNIH
ci: replace GH_SECRETS_PAT with az monitor lookup for Log Analytics c…
88d22e0 
…reds

ACI deploy workflows now query Log Analytics workspace ID and key directly
from Azure at deploy time via the existing OIDC session. No PAT required.
@petersonjdNIH
ci: auto-bootstrap Terraform backend storage on first run
818cc39
@petersonjdNIH
ci: use Entra ID auth for Terraform azurerm backend
e758c7b
@petersonjdNIH
ci: pass OIDC token endpoint vars to Terraform azurerm backend
5d84aea
@petersonjdNIH
ci: fix workflow parse error from invalid env context reference
66e61c9
@petersonjdNIH
ci: fix Log Analytics arg injection in ACI deploy workflows
206a8a0
@petersonjdNIH
feat: managed identity for Service Bus; prod Terraform; eliminate SER…
edba54d 
…VICEBUS_CONNECTIONSTRING

- servicebus.ts: accept fullyQualifiedNamespace (managed identity) or connectionString
- config/github.webhooks.json: map GITHUB_WEBHOOKS_SERVICEBUS_ENDPOINT to fullyQualifiedNamespace
- config/github.webhooks.types.ts: make connectionString optional, add fullyQualifiedNamespace
- firehose workflows: assign managed identity to ACI, use GITHUB_WEBHOOKS_SERVICEBUS_ENDPOINT
  instead of GITHUB_WEBHOOKS_SERVICEBUS_CONNECTIONSTRING; lookup identity at deploy time
- staging_terraform_dev.yml: pass DEV_SERVICEBUS_NAMESPACE var
- infra/terraform/dev: add user-assigned identity + Service Bus Data Receiver role assignment
- infra/terraform/prod/: new prod Terraform (mirrors dev)
- .github/workflows/main_terraform_prod.yml: new prod Terraform workflow
@petersonjdNIH
revert: restore non-workflow files on main; fix #service ESLint error
07a955e 
Reverts application/config/infra changes that should only live on staging:
- lib/queues/servicebus.ts (restored to pre-managed-identity version)
- config/github.webhooks.json + .types.ts
- infra/terraform/dev/ (managed identity additions)
- infra/terraform/prod/ (new prod Terraform)

Keeps:
- .github/workflows/ changes (intended for main)
- eslint.config.mjs migration (required by ESLint 10; .eslintrc.js removed)

Also fixes pre-existing ESLint error: #service private field was write-only
@purnesh-cit
Update SECURITY.md
995b456
@microsoft-github-policy-service

microsoft-github-policy-service Bot commented Jun 23, 2026

Copy link
Copy Markdown

@purnesh-cit please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"
Contributor License Agreement

Contribution License Agreement

This Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”),
and conveys certain license rights to Microsoft Corporation and its affiliates (“Microsoft”) for Your
contributions to Microsoft open source projects. This Agreement is effective as of the latest signature
date below.

  1. Definitions.
    “Code” means the computer software code, whether in human-readable or machine-executable form,
    that is delivered by You to Microsoft under this Agreement.
    “Project” means any of the projects owned or managed by Microsoft and offered under a license
    approved by the Open Source Initiative (www.opensource.org).
    “Submit” is the act of uploading, submitting, transmitting, or distributing code or other content to any
    Project, including but not limited to communication on electronic mailing lists, source code control
    systems, and issue tracking systems that are managed by, or on behalf of, the Project for the purpose of
    discussing and improving that Project, but excluding communication that is conspicuously marked or
    otherwise designated in writing by You as “Not a Submission.”
    “Submission” means the Code and any other copyrightable material Submitted by You, including any
    associated comments and documentation.
  2. Your Submission. You must agree to the terms of this Agreement before making a Submission to any
    Project. This Agreement covers any and all Submissions that You, now or in the future (except as
    described in Section 4 below), Submit to any Project.
  3. Originality of Work. You represent that each of Your Submissions is entirely Your original work.
    Should You wish to Submit materials that are not Your original work, You may Submit them separately
    to the Project if You (a) retain all copyright and license information that was in the materials as You
    received them, (b) in the description accompanying Your Submission, include the phrase “Submission
    containing materials of a third party:” followed by the names of the third party and any licenses or other
    restrictions of which You are aware, and (c) follow any other instructions in the Project’s written
    guidelines concerning Submissions.
  4. Your Employer. References to “employer” in this Agreement include Your employer or anyone else
    for whom You are acting in making Your Submission, e.g. as a contractor, vendor, or agent. If Your
    Submission is made in the course of Your work for an employer or Your employer has intellectual
    property rights in Your Submission by contract or applicable law, You must secure permission from Your
    employer to make the Submission before signing this Agreement. In that case, the term “You” in this
    Agreement will refer to You and the employer collectively. If You change employers in the future and
    desire to Submit additional Submissions for the new employer, then You agree to sign a new Agreement
    and secure permission from the new employer before Submitting those Submissions.
  5. Licenses.
  • Copyright License. You grant Microsoft, and those who receive the Submission directly or
    indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license in the
    Submission to reproduce, prepare derivative works of, publicly display, publicly perform, and distribute
    the Submission and such derivative works, and to sublicense any or all of the foregoing rights to third
    parties.
  • Patent License. You grant Microsoft, and those who receive the Submission directly or
    indirectly from Microsoft, a perpetual, worldwide, non-exclusive, royalty-free, irrevocable license under
    Your patent claims that are necessarily infringed by the Submission or the combination of the
    Submission with the Project to which it was Submitted to make, have made, use, offer to sell, sell and
    import or otherwise dispose of the Submission alone or with the Project.
  • Other Rights Reserved. Each party reserves all rights not expressly granted in this Agreement.
    No additional licenses or rights whatsoever (including, without limitation, any implied licenses) are
    granted by implication, exhaustion, estoppel or otherwise.
  1. Representations and Warranties. You represent that You are legally entitled to grant the above
    licenses. You represent that each of Your Submissions is entirely Your original work (except as You may
    have disclosed under Section 3). You represent that You have secured permission from Your employer to
    make the Submission in cases where Your Submission is made in the course of Your work for Your
    employer or Your employer has intellectual property rights in Your Submission by contract or applicable
    law. If You are signing this Agreement on behalf of Your employer, You represent and warrant that You
    have the necessary authority to bind the listed employer to the obligations contained in this Agreement.
    You are not expected to provide support for Your Submission, unless You choose to do so. UNLESS
    REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING, AND EXCEPT FOR THE WARRANTIES
    EXPRESSLY STATED IN SECTIONS 3, 4, AND 6, THE SUBMISSION PROVIDED UNDER THIS AGREEMENT IS
    PROVIDED WITHOUT WARRANTY OF ANY KIND, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTY OF
    NONINFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
  2. Notice to Microsoft. You agree to notify Microsoft in writing of any facts or circumstances of which
    You later become aware that would make Your representations in this Agreement inaccurate in any
    respect.
  3. Information about Submissions. You agree that contributions to Projects and information about
    contributions may be maintained indefinitely and disclosed publicly, including Your name and other
    information that You submit with Your Submission.
  4. Governing Law/Jurisdiction. This Agreement is governed by the laws of the State of Washington, and
    the parties consent to exclusive jurisdiction and venue in the federal courts sitting in King County,
    Washington, unless no federal subject matter jurisdiction exists, in which case the parties consent to
    exclusive jurisdiction and venue in the Superior Court of King County, Washington. The parties waive all
    defenses of lack of personal jurisdiction and forum non-conveniens.
  5. Entire Agreement/Assignment. This Agreement is the entire agreement between the parties, and
    supersedes any and all prior agreements, understandings or communications, written or oral, between
    the parties relating to the subject matter hereof. This Agreement may be assigned by Microsoft.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@purnesh-cit @petersonjdNIH @DevOptimusPrime @garnertb @furniturewalatkNIH @colemanjrNIH