Mercurial > p > roundup > code

annotate .github/workflows/ossf-scorecard.yml @ 7752:b2dbab2b34bc

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
fix(refactor): multiple fixups using ruff linter; more testing. Converting to using the ruff linter and its rulesets. Fixed a number of issues. admin.py: sort imports use immutable tuples as default value markers for parameters where a None value is valid. reduced some loops to list comprehensions for performance used ternary to simplify some if statements named some variables to make them less magic (e.g. _default_savepoint_setting = 1000) fixed some tests for argument counts < 2 becomes != 2 so 3 is an error. moved exception handlers outside of loops for performance where exception handler will abort loop anyway. renamed variables called 'id' or 'dir' as they shadow builtin commands. fix translations of form _("string %s" % value) -> _("string %s") % value so translation will be looked up with the key before substitution. end dicts, tuples with a trailing comma to reduce missing comma errors if modified simplified sorted(list(self.setting.keys())) to sorted(self.setting.keys()) as sorted consumes whole list. in if conditions put compared variable on left and threshold condition on right. (no yoda conditions) multiple noqa: suppression removed unneeded noqa as lint rulesets are a bit different do_get - refactor output printing logic: Use fast return if not special formatting is requested; use isinstance with a tuple rather than two isinstance calls; cleaned up flow and removed comments on algorithm as it can be easily read from the code. do_filter, do_find - refactor output printing logic. Reduce duplicate code. do_find - renamed variable 'value' that was set inside a loop. The loop index variable was also named 'value'. do_pragma - added hint to use list subcommand if setting was not found. Replaced condition 'type(x) is bool' with 'isinstance(x, bool)' for various types. test_admin.py added testing for do_list better test coverage for do_get includes: -S and -d for multilinks, error case for -d with non-link. better testing for do_find including all output modes better testing for do_filter including all output modes fixed expected output for do_pragma that now includes hint to use pragma list if setting not found.
author John Rouillard <rouilj@ieee.org>
date Fri, 01 Mar 2024 14:53:18 -0500
parents edd93fa4a5ec
children 85198b53b999
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 # This workflow uses actions that are not certified by GitHub. They are provided
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 # by a third-party and are governed by separate terms of service, privacy
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 # policy, and support documentation.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5 name: Scorecard supply-chain security
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 on:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 # For Branch-Protection check. Only the default branch is supported. See
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 branch_protection_rule:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10 # To guarantee Maintained check is occasionally updated. See
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 schedule:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13 - cron: '25 21 * * 5'
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14 push:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 branches: [ "master" ]
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 # Declare default permissions as read only.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18 permissions: read-all
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
20 jobs:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21 analysis:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22 name: Scorecard analysis
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 runs-on: ubuntu-latest
7194
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
24
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
25 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
26
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27 permissions:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 # Needed to upload the results to code-scanning dashboard.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
29 security-events: write
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 # Needed to publish results and get a badge (see publish_results below).
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 id-token: write
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
32 # Uncomment the permissions below if installing in a private repository.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 # contents: read
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 # actions: read
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 steps:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 - name: "Checkout code"
7729
edd93fa4a5ec chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents: 7657
diff changeset
38 uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
40 persist-credentials: false
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
42 - name: "Run analysis"
7729
edd93fa4a5ec chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents: 7657
diff changeset
43 uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.10
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
44 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 results_file: results.sarif
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
46 results_format: sarif
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
47 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 # - you want to enable the Branch-Protection check on a *public* repository, or
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 # - you are installing Scorecard on a *private* repository
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
50 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 # repo_token: ${{ secrets.SCORECARD_TOKEN }}
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
52
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
53 # Public repositories:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
54 # - Publish results to OpenSSF REST API for easy access by consumers
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
55 # - Allows the repository to include the Scorecard badge.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
56 # - See https://github.com/ossf/scorecard-action#publishing-results.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
57 # For private repositories:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
58 # - `publish_results` will always be set to `false`, regardless
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
59 # of the value entered here.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
60 publish_results: true
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
61
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
62 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63 # format to the repository Actions tab.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
64 - name: "Upload artifact"
7729
edd93fa4a5ec chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents: 7657
diff changeset
65 uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
66 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
67 name: SARIF file
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
68 path: results.sarif
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
69 retention-days: 5
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
70
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
71 # Upload the results to GitHub's code scanning dashboard.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
72 - name: "Upload to code-scanning"
7729
edd93fa4a5ec chore: update actions in gihub workflows.
John Rouillard <rouilj@ieee.org>
parents: 7657
diff changeset
73 uses: github/codeql-action/upload-sarif@65c74964a9ed8c44ed9f19d4bbc5757a6a8e9ab9 # v2.16.1
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
74 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
75 sarif_file: results.sarif
Roundup Issue Tracker: http://roundup-tracker.org/