Skip to content

Commit

Permalink
ci: add cid github actions workflow (#6)
Browse files Browse the repository at this point in the history
Co-authored-by: cid-workflow[bot] <142626371+cid-workflow[bot]@users.noreply.github.com>
  • Loading branch information
cid-workflow[bot] authored May 22, 2024
1 parent 5c7ce4c commit e46751a
Show file tree
Hide file tree
Showing 3 changed files with 640 additions and 0 deletions.
80 changes: 80 additions & 0 deletions .github/workflows/cid-ossf.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# cid-workflow-version: 0.0.17

# This file is generated by the CID Workflow GitHub App.
# DO NOT EDIT!

# name
name: CID - OSSF Scorecard
on:
# For Branch-Protection check. Only the default branch is supported. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
branch_protection_rule:
# To guarantee Maintained check is occasionally updated. See
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
schedule:
- cron: '40 23 * * 5'
# Allow manual triggering of the workflow
workflow_dispatch:

# Read Permissions. See
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
# https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
permissions: read-all

# Cancel in progress jobs when a new run starts on the same ref
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true

jobs:
analysis:
name: OSSF Scorecard Analysis
runs-on: ubuntu-latest
permissions:
id-token: write # needed to publish results
actions: read # required in private repos
contents: read # required in private repos
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-telemetry: true
disable-sudo: true
egress-policy: block
allowed-endpoints: >-
api.github.com:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
codeload.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
quay.io:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
api.osv.dev:443
www.bestpractices.dev:443
oss-fuzz-build-logs.storage.googleapis.com:443
rekor.sigstore.dev:443
fulcio.sigstore.dev:443
tuf-repo-cdn.sigstore.dev:443
api.securityscorecards.dev:443
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
persist-credentials: false
- name: OSSF Analysis
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
publish_results: true # publish results to OpenSSF REST API
- name: Upload Analysis Result
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
234 changes: 234 additions & 0 deletions .github/workflows/cid-pullrequest.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,234 @@
# cid-workflow-version: 0.0.17

# This file is generated by the CID Workflow GitHub App.
# DO NOT EDIT!

# name
name: CID - PullRequest

# triggers
on:
workflow_dispatch:
inputs:
loglevel:
description: Log level
required: true
default: info
type: choice
options:
- debug
- info
- warn
- error
pull_request:
branches:
- main
paths-ignore:
- README.md
- LICENSE
- .gitignore
- .editorconfig
- renovate.json

# permissions, see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions and https://docs.github.com/en/rest/overview/permissions-required-for-github-apps
permissions:
actions: read # detection of GitHub Actions environment
checks: none
contents: read
deployments: none
id-token: none
issues: none
packages: none
pages: none
pull-requests: none
repository-projects: none
security-events: none
statuses: none

# cancel in progress when a new run starts
concurrency:
group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
cancel-in-progress: true

env:
CID_WORKFLOW: main
CID_VERSION: latest
CID_LOGLEVEL: ${{ github.event.inputs.loglevel || 'info' }}
# allowed modes are 'block' and 'audit'. Using https://github.com/step-security/harden-runner to harden the runner.
EGRESS_POLICY: block
# allowed endpoints for egress traffic if egress-policy is set to 'block'.
EGRESS_POLICY_ALLOWED_ENDPOINTS: >-
api.github.com:443
cdn01.quay.io:443
cdn02.quay.io:443
cdn03.quay.io:443
codeload.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
quay.io:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
uploads.github.com:443
EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD: ""
EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST: ""
EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN: >-
scanner.sonarcloud.io:443
semgrep.dev:443
sonarcloud.io:443
EGRESS_POLICY_ALLOWED_ENDPOINTS_PACKAGE: ""
EGRESS_POLICY_ALLOWED_ENDPOINTS_PUBLISH: >-
# jobs
jobs:
# info
info:
name: Info
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
timeout-minutes: 30
if: ${{ github.event.inputs.loglevel == 'debug' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-telemetry: true
disable-sudo: true
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
- name: info
env:
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
run: |
echo "> project modules"
cid --log-level=${CID_LOGLEVEL:-info} module ls
echo "> catalog"
cid --log-level=${CID_LOGLEVEL:-info} catalog list
echo "> workflows"
cid --log-level=${CID_LOGLEVEL:-info} workflow ls
# build
build:
name: Build
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
permissions:
id-token: write # provenance signing
timeout-minutes: 30
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-telemetry: true
disable-sudo: true
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_BUILD }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
- name: build
env:
CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage build
- name: upload artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: build-${{ github.run_id }}
path: .dist
retention-days: 1
if-no-files-found: ignore

# test
test:
name: Test
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
timeout-minutes: 30
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-telemetry: true
disable-sudo: true
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_TEST }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
- name: test
env:
CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage test
- name: upload artifacts
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: test-${{ github.run_id }}
path: .dist
retention-days: 1
if-no-files-found: ignore
# scan
scan:
name: Scan
runs-on: ubuntu-22.04 # https://github.com/actions/runner-images
needs: [build, test]
permissions:
security-events: write
timeout-minutes: 30
steps:
- name: Harden Runner
uses: step-security/harden-runner@f086349bfa2bd1361f7909c78558e816508cdc10 # v2.8.0
with:
disable-telemetry: true
disable-sudo: true
egress-policy: ${{ env.EGRESS_POLICY }}
allowed-endpoints: ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS }} ${{ env.EGRESS_POLICY_ALLOWED_ENDPOINTS_SCAN }}
- name: prepare environment
uses: cidverse/ghact-cid-setup@31e7177a4d98b05a05b4671f70df0ed199bfb9a1 # v0.1.0
with:
version: ${{ env.CID_VERSION }}
- name: checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
- name: download artifacts > build
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: build-${{ github.run_id }}
path: .dist
continue-on-error: true
- name: download artifacts > test
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: test-${{ github.run_id }}
path: .dist
continue-on-error: true
- name: scan
env:
CID_WORKFLOW: ${{ env.CID_WORKFLOW }}
CID_LOGLEVEL: ${{ env.CID_LOGLEVEL }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
QODANA_TOKEN: ${{ secrets.QODANA_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_ORGANIZATION: ${{ secrets.SONAR_ORGANIZATION }}
run: |
cid --log-level=${CID_LOGLEVEL:-info} workflow run "$CID_WORKFLOW" --stage scan
Loading

0 comments on commit e46751a

Please sign in to comment.