From 031e50310e83920227fea7cc513ce7dce6f4dcee Mon Sep 17 00:00:00 2001 From: Emre Can Vural Date: Tue, 4 Feb 2025 17:17:05 +0300 Subject: [PATCH] feat: Add security-gates and update README (#413) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add security-gates workflow and update README * Add security-gates workflow and update README * Add security-gates workflow and update README * Update scorecard.yml --------- Co-authored-by: Oğuzhan Soykan --- .github/workflows/build.yml | 8 +++++ .github/workflows/scorecard.yml | 63 +++++++++++++++++++++++++++++++++ README.md | 2 ++ 3 files changed, 73 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 84c92cf..23638e0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -37,3 +37,11 @@ jobs: verbose: true token: ${{ secrets.CODECOV_TOKEN }} if: github.ref == 'refs/heads/main' + + + security-gates: + uses: Trendyol/security-actions/.github/workflows/security-gates.yml@master + permissions: + actions: read + contents: read + security-events: write diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..a5d48b5 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,63 @@ + +name: Scorecard supply-chain security + +on: + branch_protection_rule: + schedule: + - cron: '29 23 * * 3' + push: + branches: [ "main", "master"] + pull_request: + branches: ["main", "master"] + +permissions: read-all + +jobs: + visibility-check: + outputs: + visibility: ${{ steps.drv.outputs.visibility }} + runs-on: ubuntu-latest + steps: + - name: Determine repository visibility + id: drv + run: | + visibility=$(gh api /repos/$GITHUB_REPOSITORY --jq '.visibility') + echo "visibility=$visibility" >> $GITHUB_OUTPUT + env: + GH_TOKEN: ${{ github.token }} + + analysis: + if: ${{ needs.visibility-check.outputs.visibility == 'public' }} + needs: visibility-check + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5 + with: + sarif_file: results.sarif + + diff --git a/README.md b/README.md index a60738a..ad146fe 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ + +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/Trendyol/kediatR/badge)](https://scorecard.dev/viewer/?uri=github.com/Trendyol/kediatR) # kediatR [![codecov](https://codecov.io/gh/trendyol/kediatr/branch/main/graph/badge.svg)](https://codecov.io/gh/trendyol/kediatr) Humus! The kediatr mascot