From f814431eead3bda309ffd70876582aa500cb1be1 Mon Sep 17 00:00:00 2001 From: Christian Oliff Date: Thu, 11 Sep 2025 01:31:34 +0900 Subject: [PATCH] Add OSSF Scorecard security workflow (#3287) This also pins move GitHub Actions so our initial score will be higher. --- .github/workflows/dependency-review.yml | 2 +- .github/workflows/ossf-scorecard.yml | 43 +++++++++++++++++++++++++ .github/workflows/publish.yml | 4 +-- .github/workflows/push-to-template.yml | 2 ++ .github/workflows/test.yml | 2 +- 5 files changed, 49 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/ossf-scorecard.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 11c29b0a..ae74203f 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,4 +14,4 @@ jobs: persist-credentials: false - name: "Dependency Review" - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3 diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml new file mode 100644 index 00000000..6e5eea4a --- /dev/null +++ b/.github/workflows/ossf-scorecard.yml @@ -0,0 +1,43 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '27 12 * * 2' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.30.1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 92a995b8..d3ea892d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -27,7 +27,7 @@ jobs: run: zip -r ../html5-boilerplate_${{ steps.get_version.outputs.VERSION }}.zip ./ - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -37,7 +37,7 @@ jobs: prerelease: false - name: Upload Release Asset id: upload-release-asset - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/push-to-template.yml b/.github/workflows/push-to-template.yml index d6ae230f..0ebe2723 100644 --- a/.github/workflows/push-to-template.yml +++ b/.github/workflows/push-to-template.yml @@ -22,6 +22,8 @@ jobs: restore-keys: | ${{ runner.os }}-node- - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Node.js uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ebb29f49..689ec0c2 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -26,7 +26,7 @@ jobs: id: npm-cache run: | echo "dir=$(npm config get cache)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v3 + - uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3.4.3 with: path: ${{ steps.npm-cache.outputs.dir }} key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}