Skip to content

Commit

Permalink
Merge branch 'main' into beginnerchecks
Browse files Browse the repository at this point in the history
  • Loading branch information
spencerschrock authored Nov 29, 2023
2 parents cfa1a9a + 0e7e58a commit 06ff816
Show file tree
Hide file tree
Showing 257 changed files with 6,692 additions and 2,423 deletions.
10 changes: 3 additions & 7 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,8 @@
# the repo. Unless a later match takes precedence,
# the following users/teams will be requested for
# review when someone opens a pull request.
# TODO(owners): For ease of management, this should eventually shift to a
# defined GitHub team instead of individual usernames
* @azeemshaikh38 @justaugustus @laurentsimon @naveensrinivasan @spencerschrock @raghavkaul
* @ossf/scorecard-maintainers

# Docs
# TODO(owners): For ease of management, this should eventually shift to a
# defined GitHub team instead of individual usernames
*.md @olivekl
/docs/ @olivekl
*.md @ossf/scorecard-doc-maintainers
/docs/ @ossf/scorecard-doc-maintainers
11 changes: 10 additions & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,19 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"
interval: "weekly"
rebase-strategy: disabled
commit-message:
prefix: ":seedling:"
groups:
github-actions:
patterns:
- "*"
# These actions directly influence the build process and are excluded from grouped updates
exclude-patterns:
- "actions/setup-go"
- "arduino/setup-protoc"
- "goreleaser/goreleaser-action"
- package-ecosystem: docker
directory: "/"
schedule:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:

steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/depsreview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,4 @@ jobs:
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: 'Dependency Review'
uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034
uses: actions/dependency-review-action@7bbfa034e752445ea40215fff1c3bf9597993d3f # v3.1.3
4 changes: 2 additions & 2 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
fetch-depth: 2 # needed to diff changed files
- id: files
name: Get changed files
uses: tj-actions/changed-files@95690f9ece77c1740f4a55b7f1de9023ed6b1f87 #v39.2.3
uses: tj-actions/changed-files@25ef3926d147cd02fc7e931c1ef50772bbb0d25d #v40.1.1
with:
files_ignore: '**.md'
- id: docs_only_check
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:
steps:
- name: Harden Runner
if: (needs.docs_only_check.outputs.docs_only != 'true')
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/gitlab.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
environment: gitlab
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -86,7 +86,7 @@ jobs:
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/[email protected].0
uses: slsa-framework/slsa-verifier/actions/[email protected].1

- name: Download assets
env:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/integration.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand All @@ -44,7 +44,7 @@ jobs:
needs: [approve]
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:
name: check-linter
runs-on: ubuntu-latest
steps:
- uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
- uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -95,7 +95,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -143,7 +143,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Clone the code
Expand Down Expand Up @@ -172,7 +172,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -221,7 +221,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Cache builds
Expand Down Expand Up @@ -260,7 +260,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -303,7 +303,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
Expand Down Expand Up @@ -349,7 +349,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down Expand Up @@ -384,7 +384,7 @@ jobs:
contents: read
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/publishimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ jobs:
COSIGN_EXPERIMENTAL: "true"
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

Expand All @@ -61,7 +61,7 @@ jobs:
make install
make scorecard-ko
- name: Install Cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Sign image
run: |
cosign sign --yes ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}
110 changes: 110 additions & 0 deletions .github/workflows/scdiff.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
name: scdiff PR evaluation
on:
issue_comment:
types: [created]

permissions: read-all

env:
GO_VERSION: 1.21

jobs:
share-link:
if: ${{ (github.event.issue.pull_request) && (contains(github.event.comment.body, '/scdiff generate')) }}
runs-on: [ubuntu-latest]
permissions:
pull-requests: write # to create the PR comment
steps:
- name: share link to workflow run
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `[Here's a link to the scdiff run](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
})
golden-test:
if: ${{ (github.event.issue.pull_request) && (contains(github.event.comment.body, '/scdiff generate')) }}
runs-on: [ubuntu-latest]
steps:
- name: create file of repos to anlayze
run: |
cat <<EOF > $HOME/repos.txt
https://github.com/airbnb/lottie-web
https://github.com/apache/tomcat
https://github.com/Azure/azure-functions-dotnet-worker
https://github.com/cncf/xds
https://github.com/google/go-cmp
https://github.com/google/highwayhash
https://github.com/googleapis/google-api-php-client
https://github.com/jacoco/jacoco
https://github.com/ossf/scorecard
https://github.com/pallets/jinja
https://github.com/polymer/polymer
https://github.com/rust-random/getrandom
https://github.com/yaml/libyaml
https://gitlab.com/baserow/baserow
https://gitlab.com/cryptsetup/cryptsetup
EOF
- name: configure scdiff
id: config
env:
COMMENT_BODY: ${{ github.event.comment.body }}
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const allowedAssociations = ["COLLABORATOR", "CONTRIBUTOR", "MEMBER", "OWNER"];
authorAssociation = '${{ github.event.comment.author_association }}'
if (!allowedAssociations.includes(authorAssociation)) {
core.setFailed("You don't have access to run scdiff");
}
const response = await github.rest.pulls.get({
owner: context.repo.owner,
repo: context.repo.repo,
pull_number: context.issue.number,
})
core.setOutput('base', response.data.base.sha)
core.setOutput('head', response.data.head.sha)
checks = '""'
const commentBody = process.env.COMMENT_BODY
const regex = /\/scdiff generate ([^ ]+)/;
const found = commentBody.match(regex);
if (found && found.length == 2) {
checks = found[1]
}
core.exportVariable('SCORECARD_CHECKS', checks)
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ steps.config.outputs.base }}
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- name: generate before results
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
run: |
go run cmd/internal/scdiff/main.go generate \
--repos $HOME/repos.txt \
--checks $SCORECARD_CHECKS > $HOME/before.json
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: ${{ steps.config.outputs.head }}
- name: generate after results
env:
GITHUB_AUTH_TOKEN: ${{ secrets.GH_AUTH_TOKEN }}
GITLAB_AUTH_TOKEN: ${{ secrets.GITLAB_TOKEN }}
run: |
go run cmd/internal/scdiff/main.go generate \
--repos $HOME/repos.txt \
--checks $SCORECARD_CHECKS > $HOME/after.json
- name: compare results
run: |
go run cmd/internal/scdiff/main.go compare $HOME/before.json $HOME/after.json
2 changes: 1 addition & 1 deletion .github/workflows/scorecard-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: "Run analysis"
uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/slsa-goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/[email protected].0
uses: slsa-framework/slsa-verifier/actions/[email protected].1

- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
Expand Down
7 changes: 3 additions & 4 deletions .github/workflows/stale.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,18 +27,17 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v3.0.18
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
stale-issue-message: 'This issue is stale because it has been open for 60 days with no activity.'
stale-pr-message: 'Stale pull request message'
stale-issue-label: 'no-issue-activity'
stale-pr-message: 'This pull request is stale because it has been open for 10 days with no activity'
exempt-issue-labels: 'priority,bug,good first issue'
stale-pr-label: 'no-pr-activity'
exempt-issue-milestones: 'Structured results'
exempt-pr-labels: 'awaiting-approval,work-in-progress'
days-before-pr-stale: '10'
days-before-pr-close: '20'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v1
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: Verifier action
id: verifier
uses: kubernetes-sigs/kubebuilder-release-tools@d8367c29de8af903319d3a76de2436672515729b # v0.4.0
uses: kubernetes-sigs/kubebuilder-release-tools@3c3411345eedc489d1022288aa844691e92a9c29 # v0.4.2
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
Loading

0 comments on commit 06ff816

Please sign in to comment.