-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: add cid github actions workflow (#6)
Co-authored-by: cid-workflow[bot] <142626371+cid-workflow[bot]@users.noreply.github.com>
- Loading branch information
1 parent
5c7ce4c
commit e46751a
Showing
3 changed files
with
640 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
# cid-workflow-version: 0.0.17 | ||
|
||
# This file is generated by the CID Workflow GitHub App. | ||
# DO NOT EDIT! | ||
|
||
# name | ||
name: CID - OSSF Scorecard | ||
on: | ||
# For Branch-Protection check. Only the default branch is supported. See | ||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | ||
branch_protection_rule: | ||
# To guarantee Maintained check is occasionally updated. See | ||
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | ||
schedule: | ||
- cron: '40 23 * * 5' | ||
# Allow manual triggering of the workflow | ||
workflow_dispatch: | ||
|
||
# Read Permissions. See | ||
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions | ||
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps | ||
permissions: read-all | ||
|
||
# Cancel in progress jobs when a new run starts on the same ref | ||
concurrency: | ||
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | ||
cancel-in-progress: true | ||
|
||
jobs: | ||
analysis: | ||
name: OSSF Scorecard Analysis | ||
runs-on: ubuntu-latest | ||
permissions: | ||
id-token: write # needed to publish results | ||
actions: read # required in private repos | ||
contents: read # required in private repos | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-telemetry: true | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: >- | ||
api.github.com:443 | ||
cdn01.quay.io:443 | ||
cdn02.quay.io:443 | ||
cdn03.quay.io:443 | ||
codeload.github.com:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
proxy.golang.org:443 | ||
quay.io:443 | ||
raw.githubusercontent.com:443 | ||
storage.googleapis.com:443 | ||
sum.golang.org:443 | ||
uploads.github.com:443 | ||
api.osv.dev:443 | ||
www.bestpractices.dev:443 | ||
oss-fuzz-build-logs.storage.googleapis.com:443 | ||
rekor.sigstore.dev:443 | ||
fulcio.sigstore.dev:443 | ||
tuf-repo-cdn.sigstore.dev:443 | ||
api.securityscorecards.dev:443 | ||
- name: Checkout | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
with: | ||
persist-credentials: false | ||
- name: OSSF Analysis | ||
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 | ||
with: | ||
results_file: results.sarif | ||
results_format: sarif | ||
publish_results: true # publish results to OpenSSF REST API | ||
- name: Upload Analysis Result | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | ||
with: | ||
name: SARIF file | ||
path: results.sarif | ||
retention-days: 5 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,234 @@ | ||
# cid-workflow-version: 0.0.17 | ||
|
||
# This file is generated by the CID Workflow GitHub App. | ||
# DO NOT EDIT! | ||
|
||
# name | ||
name: CID - PullRequest | ||
|
||
# triggers | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
loglevel: | ||
description: Log level | ||
required: true | ||
default: info | ||
type: choice | ||
options: | ||
- debug | ||
- info | ||
- warn | ||
- error | ||
pull_request: | ||
branches: | ||
- main | ||
paths-ignore: | ||
- README.md | ||
- LICENSE | ||
- .gitignore | ||
- .editorconfig | ||
- renovate.json | ||
|
||
# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps | ||
permissions: | ||
actions: read # detection of GitHub Actions environment | ||
checks: none | ||
contents: read | ||
deployments: none | ||
id-token: none | ||
issues: none | ||
packages: none | ||
pages: none | ||
pull-requests: none | ||
repository-projects: none | ||
security-events: none | ||
statuses: none | ||
|
||
# cancel in progress when a new run starts | ||
concurrency: | ||
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' | ||
cancel-in-progress: true | ||
|
||
env: | ||
CID_WORKFLOW: main | ||
CID_VERSION: latest | ||
CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }} | ||
# allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner. | ||
EGRESS_POLICY: block | ||
# allowed endpoints for egress traffic if egress-policy is set to 'block'. | ||
EGRESS_POLICY_ALLOWED_ENDPOINTS: >- | ||
api.github.com:443 | ||
cdn01.quay.io:443 | ||
cdn02.quay.io:443 | ||
cdn03.quay.io:443 | ||
codeload.github.com:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
proxy.golang.org:443 | ||
quay.io:443 | ||
raw.githubusercontent.com:443 | ||
storage.googleapis.com:443 | ||
sum.golang.org:443 | ||
uploads.github.com:443 | ||
EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: "" | ||
EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: "" | ||
EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >- | ||
scanner.sonarcloud.io:443 | ||
semgrep.dev:443 | ||
sonarcloud.io:443 | ||
EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: "" | ||
EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >- | ||
# jobs | ||
jobs: | ||
# info | ||
info: | ||
name: Info | ||
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | ||
timeout-minutes: 30 | ||
if: ${{ github.event.inputs.loglevel == 'debug' }} | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-telemetry: true | ||
disable-sudo: true | ||
egress-policy: ${{ env.EGRESS_POLICY }} | ||
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} | ||
- name: prepare environment | ||
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | ||
with: | ||
version: ${{ env.CID_VERSION }} | ||
- name: checkout | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
with: | ||
fetch-depth: 0 | ||
- name: info | ||
env: | ||
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | ||
run: | | ||
echo "> project modules" | ||
cid --log-level=${CID_LOGLEVEL:-info} module ls | ||
echo "> catalog" | ||
cid --log-level=${CID_LOGLEVEL:-info} catalog list | ||
echo "> workflows" | ||
cid --log-level=${CID_LOGLEVEL:-info} workflow ls | ||
# build | ||
build: | ||
name: Build | ||
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | ||
permissions: | ||
id-token: write # provenance signing | ||
timeout-minutes: 30 | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-telemetry: true | ||
disable-sudo: true | ||
egress-policy: ${{ env.EGRESS_POLICY }} | ||
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }} | ||
- name: prepare environment | ||
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | ||
with: | ||
version: ${{ env.CID_VERSION }} | ||
- name: checkout | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
with: | ||
fetch-depth: 0 | ||
- name: build | ||
env: | ||
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | ||
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | ||
run: | | ||
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build | ||
- name: upload artifacts | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | ||
with: | ||
name: build-${{ github.run_id }} | ||
path: .dist | ||
retention-days: 1 | ||
if-no-files-found: ignore | ||
|
||
# test | ||
test: | ||
name: Test | ||
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | ||
timeout-minutes: 30 | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-telemetry: true | ||
disable-sudo: true | ||
egress-policy: ${{ env.EGRESS_POLICY }} | ||
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }} | ||
- name: prepare environment | ||
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | ||
with: | ||
version: ${{ env.CID_VERSION }} | ||
- name: checkout | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
with: | ||
fetch-depth: 0 | ||
- name: test | ||
env: | ||
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | ||
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | ||
run: | | ||
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test | ||
- name: upload artifacts | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | ||
with: | ||
name: test-${{ github.run_id }} | ||
path: .dist | ||
retention-days: 1 | ||
if-no-files-found: ignore | ||
# scan | ||
scan: | ||
name: Scan | ||
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images | ||
needs: [build, test] | ||
permissions: | ||
security-events: write | ||
timeout-minutes: 30 | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0 | ||
with: | ||
disable-telemetry: true | ||
disable-sudo: true | ||
egress-policy: ${{ env.EGRESS_POLICY }} | ||
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }} | ||
- name: prepare environment | ||
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0 | ||
with: | ||
version: ${{ env.CID_VERSION }} | ||
- name: checkout | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | ||
with: | ||
fetch-depth: 0 | ||
- name: download artifacts > build | ||
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | ||
with: | ||
name: build-${{ github.run_id }} | ||
path: .dist | ||
continue-on-error: true | ||
- name: download artifacts > test | ||
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | ||
with: | ||
name: test-${{ github.run_id }} | ||
path: .dist | ||
continue-on-error: true | ||
- name: scan | ||
env: | ||
CID_WORKFLOW: ${{ env.CID_WORKFLOW }} | ||
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }} | ||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }} | ||
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }} | ||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | ||
SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }} | ||
run: | | ||
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan |
Oops, something went wrong.