Mercurial > p > roundup > code
annotate .github/workflows/ossf-scorecard.yml @ 7194:8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
I'm geting tired of cancelling the github actions while trying to get
travis-ci working.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Mon, 27 Feb 2023 01:36:09 -0500 |
| parents | fcf7e210a0f9 |
| children | a81f3750a14a |
| rev | line source |
|---|---|
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # This workflow uses actions that are not certified by GitHub. They are provided |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # by a third-party and are governed by separate terms of service, privacy |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # policy, and support documentation. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 name: Scorecard supply-chain security |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 on: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # For Branch-Protection check. Only the default branch is supported. See |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 branch_protection_rule: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # To guarantee Maintained check is occasionally updated. See |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 schedule: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 - cron: '25 21 * * 5' |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 push: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 branches: [ "master" ] |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 # Declare default permissions as read only. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 permissions: read-all |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 jobs: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 analysis: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 name: Scorecard analysis |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 runs-on: ubuntu-latest |
|
7194
8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents:
7186
diff
changeset
|
24 |
|
8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents:
7186
diff
changeset
|
25 if: "!contains(github.event.head_commit.message, 'no-github-ci')" |
|
8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents:
7186
diff
changeset
|
26 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 permissions: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 # Needed to upload the results to code-scanning dashboard. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 security-events: write |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 # Needed to publish results and get a badge (see publish_results below). |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 id-token: write |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 # Uncomment the permissions below if installing in a private repository. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 # contents: read |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 # actions: read |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 steps: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 - name: "Checkout code" |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 persist-credentials: false |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 - name: "Run analysis" |
|
7143
1be1eedbf593
dependabot upgrade scorecard-action:2.06->2.1.2; upload-artifact:3.1.0 3.1.2
John Rouillard <rouilj@ieee.org>
parents:
7125
diff
changeset
|
43 uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 results_file: results.sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 results_format: sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 # - you want to enable the Branch-Protection check on a *public* repository, or |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 # - you are installing Scorecard on a *private* repository |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
50 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 # repo_token: ${{ secrets.SCORECARD_TOKEN }} |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
52 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
53 # Public repositories: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
54 # - Publish results to OpenSSF REST API for easy access by consumers |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
55 # - Allows the repository to include the Scorecard badge. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
56 # - See https://github.com/ossf/scorecard-action#publishing-results. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
57 # For private repositories: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
58 # - `publish_results` will always be set to `false`, regardless |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
59 # of the value entered here. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
60 publish_results: true |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
61 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
62 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
63 # format to the repository Actions tab. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
64 - name: "Upload artifact" |
|
7143
1be1eedbf593
dependabot upgrade scorecard-action:2.06->2.1.2; upload-artifact:3.1.0 3.1.2
John Rouillard <rouilj@ieee.org>
parents:
7125
diff
changeset
|
65 uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
66 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
67 name: SARIF file |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
68 path: results.sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
69 retention-days: 5 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
70 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
71 # Upload the results to GitHub's code scanning dashboard. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
72 - name: "Upload to code-scanning" |
|
7186
fcf7e210a0f9
upgrade codeql-actions to 2.2.5. https://github.com/roundup-tracker/roundup/pull/6
John Rouillard <rouilj@ieee.org>
parents:
7143
diff
changeset
|
73 uses: github/codeql-action/upload-sarif@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2.1.27 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
74 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
75 sarif_file: results.sarif |