From 48ad4b4f8d0ad07c96f16579e5e258dbfd2e9a5e Mon Sep 17 00:00:00 2001 From: Philipp Heuer <10275049+PhilippHeuer@users.noreply.github.com> Date: Mon, 15 Apr 2024 21:13:07 +0200 Subject: [PATCH] chore: add security policy, add ossf badge, update ci workflows (#203) * chore: add security policy, update ci workflows, add ossf badge * chore: pin cid-setup action --- .github/workflows/ci.yml | 46 ---- .github/workflows/cid-ossf.yml | 71 ++++++ .github/workflows/cid-pullrequest.yml | 238 +++++++++++++++++++ .github/workflows/cid.yml | 328 ++++++++++++++++++++++++++ README.md | 2 + SECURITY.md | 27 +++ 6 files changed, 666 insertions(+), 46 deletions(-) delete mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/cid-ossf.yml create mode 100644 .github/workflows/cid-pullrequest.yml create mode 100644 .github/workflows/cid.yml create mode 100644 SECURITY.md diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 790ba8b..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,46 +0,0 @@ -# name -name: ci - -# triggers -on: - workflow_dispatch: - push: - branches: - - main - tags: - - v*.*.* - paths-ignore: - - README.md - - LICENSE - - .github/** - - .gitignore - - .editorconfig - - renovate.json - pull_request: - branches: - - main - paths-ignore: - - README.md - - LICENSE - - .github/** - - .gitignore - - .editorconfig - - renovate.json - -jobs: - ci: - uses: cidverse/catalog/.github/workflows/shared-ci.yml@main - permissions: - actions: read # read actions - contents: write # create release - packages: write # publish packages - security-events: write # sarif reports - pages: write # pages - id-token: write # signing - with: - cid-workflow: main - cid-version: latest - secrets: - SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} - SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} diff --git a/.github/workflows/cid-ossf.yml b/.github/workflows/cid-ossf.yml new file mode 100644 index 0000000..d1b2ea7 --- /dev/null +++ b/.github/workflows/cid-ossf.yml @@ -0,0 +1,71 @@ +# cid-workflow-version: 0.0.14 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: OSSF Scorecard +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '40 23 * * 5' + push: + branches: [ 'main' ] + +# Read Permissions. See +# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions +# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: read-all + +# Cancel in progress jobs when a new run starts on the same ref +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +jobs: + analysis: + name: OSSF Scorecard Analysis + runs-on: ubuntu-latest + permissions: + id-token: write # needed to publish results + actions: read # required in private repos + contents: read # required in private repos + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: >- + api.github.com:443 + github.com:443 + objects.githubusercontent.com:443 + raw.githubusercontent.com:443 + api.osv.dev:443 + codeload.github.com:443 + www.bestpractices.dev:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + fulcio.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + api.securityscorecards.dev:443 + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + - name: OSSF Analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true # publish results to OpenSSF REST API + - name: Upload Analysis Result + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 \ No newline at end of file diff --git a/.github/workflows/cid-pullrequest.yml b/.github/workflows/cid-pullrequest.yml new file mode 100644 index 0000000..0cf686d --- /dev/null +++ b/.github/workflows/cid-pullrequest.yml @@ -0,0 +1,238 @@ +# cid-workflow-version: 0.0.14 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: cid-pullrequest + +# triggers +on: + workflow_dispatch: + inputs: + loglevel: + description: Log level + required: true + default: info + type: choice + options: + - debug + - info + - warn + - error + pull_request: + branches: + - main + paths-ignore: + - README.md + - LICENSE + - .github/** + - .gitignore + - .editorconfig + - renovate.json + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # detection of GitHub Actions environment + checks: none + contents: read + deployments: none + id-token: none + issues: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + +# cancel in progress when a new run starts +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +env: + CID_WORKFLOW: main + CID_VERSION: latest + CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: block + # allowed endpoints for egress traffic if egress-policy is set to 'block'. + EGRESS_POLICY_ALLOWED_ENDPOINTS: >- + api.github.com:443 + cdn01.quay.io:443 + cdn02.quay.io:443 + cdn03.quay.io:443 + downloads.gradle.org:443 + github.com:443 + jcenter.bintray.com:443 + kotlinlang.org:443 + objects.githubusercontent.com:443 + plugins-artifacts.gradle.org:443 + plugins.gradle.org:443 + quay.io:443 + raw.githubusercontent.com:443 + repo.maven.apache.org:443 + repo1.maven.org:443 + services.gradle.org:443 + uploads.github.com:443 + EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- + scanner.sonarcloud.io:443 + semgrep.dev:443 + sonarcloud.io:443 + EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- + maven.pkg.github.com + oss.sonatype.org:443 + s01.oss.sonatype.org:443 + +# jobs +jobs: + # info + info: + name: Info + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + if: ${{ github.event.inputs.loglevel == 'debug' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: info + env: + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + echo "> project modules" + cid --log-level=${CID_LOGLEVEL:-info} module ls + echo "> catalog" + cid --log-level=${CID_LOGLEVEL:-info} catalog list + echo "> workflows" + cid --log-level=${CID_LOGLEVEL:-info} workflow ls + # build + build: + name: Build + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + permissions: + id-token: write # provenance signing + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: build + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build + - name: upload artifacts + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: build-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + + # test + test: + name: Test + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: test + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test + - name: upload artifacts + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: test-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + # scan + scan: + name: Scan + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + needs: [build, test] + permissions: + security-events: write + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: download artifacts > build + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: build-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: download artifacts > test + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: test-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: scan + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan \ No newline at end of file diff --git a/.github/workflows/cid.yml b/.github/workflows/cid.yml new file mode 100644 index 0000000..f3b4860 --- /dev/null +++ b/.github/workflows/cid.yml @@ -0,0 +1,328 @@ +# cid-workflow-version: 0.0.14 + +# This file is generated by the CID Workflow GitHub App. +# DO NOT EDIT! + +# name +name: cid-main + +# triggers +on: + workflow_dispatch: + inputs: + loglevel: + description: Log level + required: true + default: info + type: choice + options: + - debug + - info + - warn + - error + push: + branches: + - main + tags: + - v*.*.* + paths-ignore: + - README.md + - LICENSE + - .github/** + - .gitignore + - .editorconfig + - renovate.json + +# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps +permissions: + actions: read # detection of GitHub Actions environment + checks: none + contents: read + deployments: none + id-token: none + issues: none + packages: none + pages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + +# cancel in progress when a new run starts +concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + +env: + CID_WORKFLOW: main + CID_VERSION: latest + CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} + # allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. + EGRESS_POLICY: block + # allowed endpoints for egress traffic if egress-policy is set to 'block'. + EGRESS_POLICY_ALLOWED_ENDPOINTS: >- + api.github.com:443 + cdn01.quay.io:443 + cdn02.quay.io:443 + cdn03.quay.io:443 + downloads.gradle.org:443 + github.com:443 + jcenter.bintray.com:443 + kotlinlang.org:443 + objects.githubusercontent.com:443 + plugins-artifacts.gradle.org:443 + plugins.gradle.org:443 + quay.io:443 + raw.githubusercontent.com:443 + repo.maven.apache.org:443 + repo1.maven.org:443 + services.gradle.org:443 + uploads.github.com:443 + EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- + scanner.sonarcloud.io:443 + semgrep.dev:443 + sonarcloud.io:443 + EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" + EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- + maven.pkg.github.com + oss.sonatype.org:443 + s01.oss.sonatype.org:443 + +# jobs +jobs: + # info + info: + name: Info + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + if: ${{ github.event.inputs.loglevel == 'debug' }} + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: info + env: + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + echo "> project modules" + cid --log-level=${CID_LOGLEVEL:-info} module ls + echo "> catalog" + cid --log-level=${CID_LOGLEVEL:-info} catalog list + echo "> workflows" + cid --log-level=${CID_LOGLEVEL:-info} workflow ls + # build + build: + name: Build + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + permissions: + id-token: write # provenance signing + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: build + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build + - name: upload artifacts + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: build-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + + # test + test: + name: Test + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: test + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test + - name: upload artifacts + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: test-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + # scan + scan: + name: Scan + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + needs: [build, test] + permissions: + security-events: write + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: download artifacts > build + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: build-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: download artifacts > test + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: test-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: scan + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan + # package + package: + name: Package + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + needs: [build] + permissions: + id-token: write # provenance signing + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: download artifacts > build + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: build-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: package + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package + - name: upload artifacts + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: package-${{ github.run_id }} + path: .dist + retention-days: 1 + if-no-files-found: ignore + # publish + publish: + name: Publish + runs-on: ubuntu-22.04 # https://github.com/actions/runner-images + needs: [package, scan] + permissions: + # create release + contents: write + # publish packages + packages: write + if: startsWith(github.ref, 'refs/pull/') == false + timeout-minutes: 30 + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: ${{ env.EGRESS_POLICY }} + allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }} + - name: prepare environment + uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 + with: + version: ${{ env.CID_VERSION }} + - name: checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + fetch-depth: 0 + - name: download artifacts > package + uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 + with: + name: package-${{ github.run_id }} + path: .dist + continue-on-error: true + - name: publish + env: + CID_WORKFLOW: ${{ env.CID_WORKFLOW }} + CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MAVEN_REPO_URL: ${{ secrets.MAVEN_REPO_URL }} + MAVEN_REPO_USERNAME: ${{ secrets.MAVEN_REPO_USERNAME }} + MAVEN_REPO_PASSWORD: ${{ secrets.MAVEN_REPO_PASSWORD }} + MAVEN_GPG_SIGN_PRIVATEKEY: ${{ secrets.MAVEN_GPG_SIGN_PRIVATEKEY }} + MAVEN_GPG_SIGN_PASSWORD: ${{ secrets.MAVEN_GPG_SIGN_PASSWORD }} + MAVEN_GPG_SIGN_KEYID: ${{ secrets.MAVEN_GPG_SIGN_KEYID }} + run: | + cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage publish \ No newline at end of file diff --git a/README.md b/README.md index 8e46ef0..534186a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # *Events4J* [![Latest](https://img.shields.io/github/release/PhilippHeuer/events4j/all.svg?style=flate&label=latest)](https://search.maven.org/search?q=com.github.philippheuer.events4j) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/philippheuer/events4j/badge)](https://securityscorecards.dev/viewer/?uri=github.com/philippheuer/events4j) + [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=github-com-133151090&metric=bugs)](https://sonarcloud.io/summary/overall?id=github-com-133151090) [![Code Smells](https://sonarcloud.io/api/project_badges/measure?project=github-com-133151090&metric=code_smells)](https://sonarcloud.io/summary/overall?id=github-com-133151090) [![Duplicated Lines (%)](https://sonarcloud.io/api/project_badges/measure?project=github-com-133151090&metric=duplicated_lines_density)](https://sonarcloud.io/summary/overall?id=github-com-133151090) diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7ab4e4e --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Security Policy + +## Supported Versions + +Please focus your analysis on the [latest](https://github.com/philippheuer/events4j/releases/latest) version of the library. + +If the project maintainers deem the issue to be particularly significant, a patch may be backported to some previous versions. + + +## Reporting a Vulnerability + +Please privately report any vulnerabilities as a [Github Security Advisory](https://github.com/philippheuer/events4j/security/advisories/new). + +We will acknowledge the report within a week and begin investigating. + +### Disclosure + +Our vulnerability disclosure guidelines are similar to Google's [Project Zero rules](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-policy.html). + +Once you report a vulnerability, we have 90 days to make a patch available for users. +Once a patch is released, you may publicly disclose the vulnerability details after 30 more days (so users have time to upgrade). +If we do not release a patch within this period, you can publicly disclose the details of the vulnerability without further delay. + +If the vulnerability is shown to be already exploited "in the wild," the 90-day period is replaced by a 10-day period. +However, the 30 additional days before public disclosure still apply, if we are able to publish a patch within the period. + +Lastly, early disclosure is permitted only if mutually agreed upon by the issue reporter and the project maintainers. \ No newline at end of file