Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
81 changes: 81 additions & 0 deletions .github/workflows/secret-scan.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: secret-scan

# Defense-in-depth secret scanning. SSOT (sca, distributed via PyPI) +
# independent backstop (gitleaks). Pattern changes happen in
# source-control-automation; cutting a release on tag push publishes a
# new wheel; consumers pin a version and bump deliberately.

on:
push:
branches: [ main, master ]
pull_request:
workflow_dispatch:

jobs:
sca-scan:
name: sca scan (single source of truth)
runs-on: [self-hosted, Linux]
steps:
- name: Checkout this repo
uses: actions/checkout@v5

- uses: actions/setup-python@v6
with:
python-version: "3.12"

- name: Install sca from PyPI
shell: bash
run: |
python -m pip install --upgrade pip
pip install aollivierre-sca==0.2.7

- name: Run sca scan against this repo
shell: bash
run: |
# exit codes:
# 0 = clean
# 1 = high-severity findings only (non-blocking; see threat model)
# 2 = critical findings -> fail the job
set +e
sca scan . --exclude tests --exclude __tests__ --exclude fixtures \
--exclude spec --exclude test_data --exclude test-data
rc=$?
if [ $rc -ge 2 ]; then
echo "::error::sca found critical secret findings"
exit 1
fi
echo "::notice::sca scan ok (exit=$rc; high-only is non-blocking)"
exit 0

gitleaks:
name: gitleaks (independent second opinion)
runs-on: [self-hosted, Linux]
steps:
- uses: actions/checkout@v5

- name: Install gitleaks
shell: bash
run: |
set -euo pipefail
VERSION=8.21.2
curl -fsSL "https://github.com/gitleaks/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \
-o gitleaks.tar.gz
tar -xzf gitleaks.tar.gz gitleaks
sudo mv gitleaks /usr/local/bin/gitleaks
gitleaks version

- name: Scan working tree
shell: bash
run: |
# --no-git: scan working tree only (sca scan above covered the
# committed state).
# --redact: never echo a secret value into CI logs.
# --verbose: show finding lines so triage is fast.
# --exit-code 1: any finding fails the job.
gitleaks detect \
--source . \
--no-banner \
--no-git \
--redact \
--verbose \
--exit-code 1
91 changes: 91 additions & 0 deletions .github/workflows/unicode-check.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
name: unicode-check

on:
push:
branches: [ main, master ]
pull_request:
workflow_dispatch:

# contents: write lets the auto-remediation step commit the ASCII-fixed
# files back to the branch. Pushes made with the default GITHUB_TOKEN do
# NOT re-trigger workflows, so the commit-back cannot loop.
permissions:
contents: write

jobs:
ascii-check:
name: ascii-only via URT (single source of truth)
# Self-hosted (served by the JIT broker; see RUNNER_BROKER.md). NOT a
# GitHub-hosted runner: a billing-blocked free tier fails GitHub-hosted
# jobs at the billing gate before runner-label matching.
runs-on: [self-hosted, Linux]
steps:
- name: Checkout this repo
uses: actions/checkout@v5
with:
# Check out the branch HEAD (not the PR merge ref) so the
# auto-remediation commit can be pushed back to it.
ref: ${{ github.head_ref || github.ref_name }}

- uses: actions/setup-python@v6
with:
python-version: "3.12"

- name: Clone URT outside workspace (avoids scanning the scanner)
shell: bash
run: |
# Use $RUNNER_TEMP (per-job dir) instead of /tmp/_urt (shared
# on a self-hosted runner host). Concurrent ephemeral runners
# otherwise collide with `destination path already exists`.
rm -rf "$RUNNER_TEMP/_urt"
git clone --depth 1 https://github.com/aollivierre/UnicodeReplacementTool "$RUNNER_TEMP/_urt"

- name: Remediate Unicode with URT (auto-fix in place)
shell: bash
run: |
# Fix mode (no --preview): rewrite any non-ASCII to ASCII.
# --no-backup: git history is the backup. Same pattern set as the
# verification pass below. Markdown is exempt (no *.md pattern).
python "$RUNNER_TEMP/_urt/unicode_replacer.py" \
--yes --no-backup \
. \
--recursive \
--pattern '*.py' '*.ps1' '*.psm1' '*.psd1' '*.toml' \
'*.yml' '*.yaml' '*.sh' '*.bat' '*.cmd'

- name: Commit and push remediation if anything changed
shell: bash
run: |
if [ -z "$(git status --porcelain)" ]; then
echo "unicode-check: already ASCII-clean; nothing to remediate."
exit 0
fi
echo "unicode-check: URT rewrote non-ASCII characters; committing the fix back."
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add -A
git commit -m "style: auto-remediate Unicode -> ASCII via URT"
# Push back to the originating branch. GITHUB_TOKEN pushes do NOT
# re-trigger workflows, so this commit-back is loop-safe.
git push origin "HEAD:${{ github.head_ref || github.ref_name }}"

- name: Verify ASCII-clean (gate)
shell: bash
run: |
set -o pipefail
python "$RUNNER_TEMP/_urt/unicode_replacer.py" \
--preview \
. \
--recursive \
--pattern '*.py' '*.ps1' '*.psm1' '*.psd1' '*.toml' \
'*.yml' '*.yaml' '*.sh' '*.bat' '*.cmd' \
| tee urt-preview.txt

# URT prints "Files with Unicode: <n>" in its summary. After the
# remediation step this should be 0; a non-zero count here means URT
# could not fully fix something -- fail the job so it gets eyes.
if grep -E "Files with Unicode: [1-9]" urt-preview.txt > /dev/null; then
echo "unicode-check: Unicode still present after remediation (unexpected)."
exit 1
fi
echo "unicode-check: ASCII-clean."
Original file line number Diff line number Diff line change
Expand Up @@ -419,12 +419,12 @@ CreateAndRegisterScheduledTask @taskParams
# - **Example Use Case:** If you want a task to run every day at 9:00 AM, you would set the `StartTime` to `"09:00:00"`.

# ### Practical Differences:
# - **StartBoundary:** Controls when the task becomes eligible to run. Its a one-time setting that dictates when the task can first start, often used with non-recurring tasks or as a gate for when recurring tasks can start.
# - **StartTime:** Controls the exact time on a daily or weekly basis when the task should be executed. Its used for recurring tasks that need to start at the same time every day or on specific days of the week.
# - **StartBoundary:** Controls when the task becomes eligible to run. It[U+2019]s a one-time setting that dictates when the task can first start, often used with non-recurring tasks or as a gate for when recurring tasks can start.
# - **StartTime:** Controls the exact time on a daily or weekly basis when the task should be executed. It[U+2019]s used for recurring tasks that need to start at the same time every day or on specific days of the week.

# ### Example Scenario:
# If you want a task to start running every day at 9:00 AM but only start doing so from September 1, 2024, you would set:
# - `StartBoundary = "2024-09-01T00:00:00"` (the task wont run before this date).
# - `StartBoundary = "2024-09-01T00:00:00"` (the task won[U+2019]t run before this date).
# - `StartTime = "09:00:00"` (the task will run at 9:00 AM daily after September 1, 2024).

# ### Conclusion:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# <#
# <#
# .SYNOPSIS
# This script performs the installation or uninstallation of an application(s).
# # LICENSE #
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
function Execute-MigrationToolkit {
function Execute-MigrationToolkit {
<#
.SYNOPSIS
Executes the Migration Toolkit.
Expand Down
Binary file modified DeviceMigration/Archive/test/secrets.test.psd1
Binary file not shown.
4 changes: 2 additions & 2 deletions DeviceMigration/Archive/test2/CreateODSyncUtil.Task.test.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ Invoke-ModuleStarter @moduleStarterParams

# TaskPrincipalGroupId = "BUILTIN\Users" # Specify the user group under which the task will run.
# # Use this if you want the task to run under a specific group (e.g., "Administrators" or "Users").
# # Leave this as is if you dont need to specify a custom group and are using UseCurrentUser.
# # Leave this as is if you don[U+2019]t need to specify a custom group and are using UseCurrentUser.

# ### VBS Hidden Execution (Optional) ###
# HideWithVBS = $true # Set to `$true` if you want the task to run using a hidden VBScript (prevents a visible PowerShell window).
Expand Down Expand Up @@ -170,7 +170,7 @@ $NewScheduledTaskUtilityTaskParams = @{

TaskPrincipalGroupId = "BUILTIN\Users" # Specify the user group under which the task will run.
# Use this if you want the task to run under a specific group (e.g., "Administrators" or "Users").
# Leave this as is if you dont need to specify a custom group and are using UseCurrentUser.
# Leave this as is if you don[U+2019]t need to specify a custom group and are using UseCurrentUser.

### VBS Hidden Execution (Optional) ###
HideWithVBS = $true # Set to `$true` if you want the task to run using a hidden VBScript (prevents a visible PowerShell window).
Expand Down
2 changes: 1 addition & 1 deletion DeviceMigration/Archive/test2/Deploy-Application.test.ps1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
2 changes: 1 addition & 1 deletion DeviceMigration/Archive/test2/MigrationConfig.psd1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
@{
@{

MigrationPath = "C:\ProgramData\AADMigration"
UseOneDriveKFM = $True
Expand Down
2 changes: 1 addition & 1 deletion DeviceMigration/Files/ODSyncUtil/Get-ODStatusFromDLL.ps1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.Synopsis
Get OneDrive Status
.DESCRIPTION
Expand Down
2 changes: 1 addition & 1 deletion DeviceMigration/MigrationConfig.psd1
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
@{
@{

MigrationPath = "C:\ProgramData\AADMigration"
UseOneDriveKFM = $True
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSAppDeployToolkit - Provides the ability to extend and customise the toolkit by adding your own functions that can be re-used.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - Displays a graphical console to browse the help for the App Deployment Toolkit functions.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSAppDeployToolkit - This script contains the PSADT core runtime and functions using by a Deploy-Application.ps1 script.
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<#
<#
.SYNOPSIS

PSApppDeployToolkit - This script performs the installation or uninstallation of an application(s).
Expand Down
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# IntuneDeviceMigration

Device state migration from Workgroup/ADJ/EHJ to EJ + Intune Managed

Part of the aollivierre tooling fleet.