Skip to content

Commit

Permalink
Setup scorecard workflow and pin actions versions (#845)
Browse files Browse the repository at this point in the history
Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
  • Loading branch information
mmorel-35 authored Dec 29, 2023
1 parent 873a74f commit c584d99
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 8 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: build and test
run: make docker_tests
run: make docker_tests
6 changes: 3 additions & 3 deletions .github/workflows/envoy-sync.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -22,22 +22,22 @@ jobs:
}}
steps:
- id: appauth
uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.1.83
uses: envoyproxy/toolshed/gh-actions/appauth@5ef04d5f8144dc3a1a8c05bd81b0ef267c0849f5 # actions-v0.1.83
with:
key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}

# Checkout the repo
- name: 'Checkout Repository'
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: main
fetch-depth: 0
token: ${{ steps.appauth.outputs.token }}

# Checkout the Envoy repo
- name: 'Checkout Repository'
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
repository: envoyproxy/envoy
ref: main
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/golangci-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,9 @@ jobs:
name: lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: golangci-lint
uses: golangci/golangci-lint-action@v3
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: latest
only-new-issues: true
Expand Down
45 changes: 45 additions & 0 deletions .github/workflows/scorecard.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Scorecard supply-chain security
on:
branch_protection_rule:
schedule:
- cron: '33 13 * * 5'
push:
branches:
- "main"

permissions:
contents: read


jobs:
analysis:
name: Scorecard analysis
runs-on: ubuntu-22.04
permissions:
security-events: write
id-token: write

steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
publish_results: true

- name: "Upload artifact"
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12
with:
sarif_file: results.sarif
2 changes: 1 addition & 1 deletion .github/workflows/stale.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ jobs:

steps:
- name: Prune Stale
uses: actions/stale@v7
uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Different amounts of days for issues/PRs are not currently supported but there is a PR
Expand Down
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# control-plane

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/go-control-plane/badge)](https://api.securityscorecards.dev/projects/github.com/envoyproxy/go-control-plane)
![CI Status](https://github.com/envoyproxy/go-control-plane/actions/workflows/ci.yaml/badge.svg)
[![Go Report Card](https://goreportcard.com/badge/github.com/envoyproxy/go-control-plane)](https://goreportcard.com/report/github.com/envoyproxy/go-control-plane)
[![GoDoc](https://pkg.go.dev/badge/github.com/envoyproxy/go-control-plane.svg)](https://pkg.go.dev/github.com/envoyproxy/go-control-plane)
Expand Down

0 comments on commit c584d99

Please sign in to comment.