Skip to content

Commit

Permalink
ci: update cid github actions workflow from 0.0.12 to 0.0.16
Browse files Browse the repository at this point in the history
  • Loading branch information
PhilippHeuer committed Apr 22, 2024
1 parent e431548 commit 8dba826
Show file tree
Hide file tree
Showing 4 changed files with 119 additions and 35 deletions.
79 changes: 79 additions & 0 deletions .github/workflows/cid-ossf.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# cid-workflow-version: 0.0.16

# This file is generated by the CID Workflow GitHub App.
# DO NOT EDIT!

# name
name: OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '40 23 * * 5'
push:
branches: [ 'main' ]

# Read Permissions. See
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
permissions: read-all

# Cancel in progress jobs when a new run starts on the same ref
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true

jobs:
analysis:
name: OSSF Scorecard Analysis
runs-on: ubuntu-latest
permissions:
id-token: write # needed to publish results
actions: read # required in private repos
contents: read # required in private repos
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >-
api.github.com:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
codeload.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
quay.io:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
api.osv.dev:443
www.bestpractices.dev:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
fulcio.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
api.securityscorecards.dev:443
- name: Checkout
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
persist-credentials: false
- name: OSSF Analysis
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
publish_results: true # publish results to OpenSSF REST API
- name: Upload Analysis Result
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
30 changes: 16 additions & 14 deletions .github/workflows/cid-pullrequest.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# cid-workflow-version: 0.0.12
# cid-workflow-version: 0.0.16

# This file is generated by the CID Workflow GitHub App.
# DO NOT EDIT!
Expand Down Expand Up @@ -63,12 +63,14 @@ env:
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
codeload.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
quay.io:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: ""
EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: ""
Expand All @@ -95,11 +97,11 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: info
Expand Down Expand Up @@ -127,11 +129,11 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: build
Expand All @@ -141,13 +143,13 @@ jobs:
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
- name: upload artifacts
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: build-${{ github.run_id }}
path: .dist
retention-days: 1
if-no-files-found: ignore

# test
test:
name: Test
Expand All @@ -161,11 +163,11 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: test
Expand All @@ -175,7 +177,7 @@ jobs:
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
- name: upload artifacts
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: test-${{ github.run_id }}
path: .dist
Expand All @@ -197,21 +199,21 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: download artifacts > build
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
with:
name: build-${{ github.run_id }}
path: .dist
continue-on-error: true
- name: download artifacts > test
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
with:
name: test-${{ github.run_id }}
path: .dist
Expand Down
44 changes: 23 additions & 21 deletions .github/workflows/cid.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# cid-workflow-version: 0.0.12
# cid-workflow-version: 0.0.16

# This file is generated by the CID Workflow GitHub App.
# DO NOT EDIT!
Expand Down Expand Up @@ -65,12 +65,14 @@ env:
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
codeload.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
quay.io:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: ""
EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: ""
Expand All @@ -97,11 +99,11 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: info
Expand Down Expand Up @@ -129,11 +131,11 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: build
Expand All @@ -143,13 +145,13 @@ jobs:
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
- name: upload artifacts
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: build-${{ github.run_id }}
path: .dist
retention-days: 1
if-no-files-found: ignore

# test
test:
name: Test
Expand All @@ -163,11 +165,11 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: test
Expand All @@ -177,7 +179,7 @@ jobs:
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
- name: upload artifacts
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: test-${{ github.run_id }}
path: .dist
Expand All @@ -199,21 +201,21 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: download artifacts > build
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
with:
name: build-${{ github.run_id }}
path: .dist
continue-on-error: true
- name: download artifacts > test
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
with:
name: test-${{ github.run_id }}
path: .dist
Expand Down Expand Up @@ -245,15 +247,15 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: download artifacts > build
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
with:
name: build-${{ github.run_id }}
path: .dist
Expand All @@ -265,7 +267,7 @@ jobs:
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage package
- name: upload artifacts
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: package-${{ github.run_id }}
path: .dist
Expand All @@ -291,15 +293,15 @@ jobs:
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@main
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
with:
fetch-depth: 0
- name: download artifacts > package
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # v4.1.6
with:
name: package-${{ github.run_id }}
path: .dist
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

[![Go Reference](https://pkg.go.dev/badge/github.com/cidverse/cid.svg)](https://pkg.go.dev/github.com/cidverse/cid)
[![Go Report Card](https://goreportcard.com/badge/github.com/cidverse/cid)](https://goreportcard.com/report/github.com/cidverse/cid)
[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/cidverse/cid/badge)](https://securityscorecards.dev/viewer/?uri=github.com/cidverse/cid)

Run your continuous integration and deployment workflows in a platform-agnostic way!

Expand Down

0 comments on commit 8dba826

Please sign in to comment.