Mercurial > p > roundup > code
annotate .github/workflows/ossf-scorecard.yml @ 7178:db06d4aeb978
unshadow stdlib token from roundup's token.
This bites me every now and again when running pytest and pdb. Some
submodules want to load the stdlib python and end up getting roundup's
python and thing break with N_TOKENS not defined etc.
So rename token.py to token_r.py (token_r(oundup)... hey naming things
is hard) an change code as needed.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sun, 26 Feb 2023 12:00:35 -0500 |
| parents | 1be1eedbf593 |
| children | fcf7e210a0f9 |
| rev | line source |
|---|---|
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # This workflow uses actions that are not certified by GitHub. They are provided |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # by a third-party and are governed by separate terms of service, privacy |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # policy, and support documentation. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 name: Scorecard supply-chain security |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 on: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # For Branch-Protection check. Only the default branch is supported. See |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 branch_protection_rule: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # To guarantee Maintained check is occasionally updated. See |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 schedule: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 - cron: '25 21 * * 5' |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 push: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 branches: [ "master" ] |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 # Declare default permissions as read only. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 permissions: read-all |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 jobs: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 analysis: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 name: Scorecard analysis |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 runs-on: ubuntu-latest |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
24 permissions: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
25 # Needed to upload the results to code-scanning dashboard. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
26 security-events: write |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 # Needed to publish results and get a badge (see publish_results below). |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 id-token: write |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 # Uncomment the permissions below if installing in a private repository. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 # contents: read |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 # actions: read |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 steps: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 - name: "Checkout code" |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 persist-credentials: false |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 - name: "Run analysis" |
|
7143
1be1eedbf593
dependabot upgrade scorecard-action:2.06->2.1.2; upload-artifact:3.1.0 3.1.2
John Rouillard <rouilj@ieee.org>
parents:
7125
diff
changeset
|
40 uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 results_file: results.sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 results_format: sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 # - you want to enable the Branch-Protection check on a *public* repository, or |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 # - you are installing Scorecard on a *private* repository |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 # repo_token: ${{ secrets.SCORECARD_TOKEN }} |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
50 # Public repositories: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 # - Publish results to OpenSSF REST API for easy access by consumers |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
52 # - Allows the repository to include the Scorecard badge. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
53 # - See https://github.com/ossf/scorecard-action#publishing-results. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
54 # For private repositories: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
55 # - `publish_results` will always be set to `false`, regardless |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
56 # of the value entered here. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
57 publish_results: true |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
58 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
59 # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
60 # format to the repository Actions tab. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
61 - name: "Upload artifact" |
|
7143
1be1eedbf593
dependabot upgrade scorecard-action:2.06->2.1.2; upload-artifact:3.1.0 3.1.2
John Rouillard <rouilj@ieee.org>
parents:
7125
diff
changeset
|
62 uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 |
|
7125
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
63 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
64 name: SARIF file |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
65 path: results.sarif |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
66 retention-days: 5 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
67 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
68 # Upload the results to GitHub's code scanning dashboard. |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
69 - name: "Upload to code-scanning" |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
70 uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
71 with: |
|
264ddc581f4f
add ossf-scorecard security evaluation
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
72 sarif_file: results.sarif |