Mercurial > p > roundup > code

annotate .github/workflows/ossf-scorecard.yml @ 8506:b6c6891754e9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug: fix mis-commit of perf tests and crash fix for setTranslation The commit included more than it should have. It included some memory dump code that is not part of production. Also removed WIP for fixing crash bug when translation unable to create .mo file - issue2551405
author John Rouillard <rouilj@ieee.org>
date Thu, 25 Dec 2025 12:14:53 -0500
parents 4a8a29825987
children 951db0950174
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 # This workflow uses actions that are not certified by GitHub. They are provided
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 # by a third-party and are governed by separate terms of service, privacy
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 # policy, and support documentation.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5 name: Scorecard supply-chain security
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 on:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 # For Branch-Protection check. Only the default branch is supported. See
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 branch_protection_rule:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10 # To guarantee Maintained check is occasionally updated. See
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 schedule:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13 - cron: '25 21 * * 5'
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14 push:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 branches: [ "master" ]
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 # Declare default permissions as read only.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18 permissions: read-all
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
20 jobs:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21 analysis:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22 name: Scorecard analysis
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 runs-on: ubuntu-latest
7194
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
24
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
25 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
26
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
27 permissions:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
28 # Needed to upload the results to code-scanning dashboard.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
29 security-events: write
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 # Needed to publish results and get a badge (see publish_results below).
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 id-token: write
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
32 # Uncomment the permissions below if installing in a private repository.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 # contents: read
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 # actions: read
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 steps:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 - name: "Checkout code"
8489
4e0944649af7 chore: update actions/checkout from 6.0.0 to 6.1.1 pull74
John Rouillard <rouilj@ieee.org>
parents: 8479
diff changeset
38 uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
40 persist-credentials: false
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
42 - name: "Run analysis"
8462
bfdafea40a59 build: upgrade https://github.com/roundup-tracker/roundup/pull/65.patch
John Rouillard <rouilj@ieee.org>
parents: 8425
diff changeset
43 uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v5.2.1
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
44 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 results_file: results.sarif
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
46 results_format: sarif
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
47 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 # - you want to enable the Branch-Protection check on a *public* repository, or
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 # - you are installing Scorecard on a *private* repository
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
50 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 # repo_token: ${{ secrets.SCORECARD_TOKEN }}
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
52
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
53 # Public repositories:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
54 # - Publish results to OpenSSF REST API for easy access by consumers
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
55 # - Allows the repository to include the Scorecard badge.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
56 # - See https://github.com/ossf/scorecard-action#publishing-results.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
57 # For private repositories:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
58 # - `publish_results` will always be set to `false`, regardless
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
59 # of the value entered here.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
60 publish_results: true
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
61
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
62 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
63 # format to the repository Actions tab.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
64 - name: "Upload artifact"
8498
4a8a29825987 build: bump actions/upload-artifact from 5.0.0 to 6.0.0 (PR #77)
John Rouillard <rouilj@ieee.org>
parents: 8489
diff changeset
65 uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
66 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
67 name: SARIF file
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
68 path: results.sarif
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
69 retention-days: 5
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
70
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
71 # Upload the results to GitHub's code scanning dashboard.
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
72 - name: "Upload to code-scanning"
8341
85198b53b999 chore: update githup action ses clauses to latest versions.
John Rouillard <rouilj@ieee.org>
parents: 7729
diff changeset
73 uses: github/codeql-action/upload-sarif@b1e4dc3db58c9601794e22a9f6d28d45461b9dbf # v2.22.0
7125
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
74 with:
264ddc581f4f add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
75 sarif_file: results.sarif
Roundup Issue Tracker: http://roundup-tracker.org/