Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add scorecards analysis workflow #105

Merged
merged 3 commits into from
May 17, 2022
Merged

feat: add scorecards analysis workflow #105

merged 3 commits into from
May 17, 2022

Conversation

behnazh
Copy link
Collaborator

@behnazh behnazh commented Jan 18, 2022

This PR adds Scorecards security Actions workflow, which analyzes the repo for various supply-chain security issues.

Closes #32

@behnazh behnazh marked this pull request as draft January 18, 2022 20:53
@behnazh behnazh added ci Improvements or additions to CI checks security Security related features or bugs labels Jan 18, 2022
@behnazh
Copy link
Collaborator Author

behnazh commented Jan 18, 2022

@jenstroeger note the existing alerts, which probably need to be addressed before moving on 😉

jenstroeger
jenstroeger reviewed Jan 18, 2022
View reviewed changes
Copy link
Owner

@jenstroeger jenstroeger left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh this is exciting, and interesting issues that Scorecard finds!

[…] which probably need to be addressed before moving on 😉

Hehehe very much yes.

The YAML configuration file isn’t reformatted though, is it? (See also PR #91.)

@behnazh
Copy link
Collaborator Author

behnazh commented Jan 18, 2022

The YAML configuration file isn’t reformatted though, is it? (See also PR #91.)

Ah, I thought the linting pre-commit hooks had already been merged, but I was wrong. Well, I will wait for #91 to be merged and then lint based on the latest hooks.

@jenstroeger
Copy link
Owner

jenstroeger commented Feb 24, 2022
edited
Loading

@behnazh perhaps we should merge PR #133 into this branch?

And perhaps I should pay more attention: then I would have noticed that the YAML already exists as part of this PR 🤦🏻‍♂️

@behnazh behnazh mentioned this pull request Feb 24, 2022
Closed
@behnazh
Copy link
Collaborator Author

behnazh commented Mar 22, 2022

TODO: change the general permissions for GitHub Actions to Read repository contents permission in the repo. Once this PR is ready, the workflows should not need write permissions by default.

jenstroeger
jenstroeger reviewed May 11, 2022
View reviewed changes
Copy link
Owner

@jenstroeger jenstroeger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking forward to the final PR 🤓

.github/workflows/pull-request.yaml Outdated
jobs:
pr:
permissions:
contents: read # for actions/checkout to fetch code
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Duplicating line 15?

@behnazh behnazh force-pushed the add-scorecard branch 4 times, most recently from 33f4e12 to ecf457a Compare May 12, 2022 22:07
@behnazh
Copy link
Collaborator Author

behnazh commented May 12, 2022

The Scorecard badge is not available yet. We will add it later when they publish it.

@behnazh behnazh marked this pull request as ready for review May 12, 2022 22:11
jenstroeger
jenstroeger approved these changes May 16, 2022
View reviewed changes
Copy link
Owner

@jenstroeger jenstroeger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, although the Windows checks still fail.

.github/workflows/check-and-release-main.yaml Show resolved Hide resolved
.github/workflows/scorecards-analysis.yaml Outdated Show resolved Hide resolved
@jenstroeger
Copy link
Owner

@behnazh, I merged PR #194 into staging. Let’s hope that after you rebase this PR the Action on Windows runners works again… 🤞🏼

@behnazh
Copy link
Collaborator Author

behnazh commented May 17, 2022

@behnazh, I merged PR #194 into staging. Let’s hope that after you rebase this PR the Action on Windows runners works again… 🤞🏼

Looks like we are good to go!

@jenstroeger
Copy link
Owner

Hooray! Merge?

@behnazh
Copy link
Collaborator Author

behnazh commented May 17, 2022

Hooray! Merge?

Hooray! Merge?

Sure 👍

@jenstroeger jenstroeger merged commit b72d1ae into staging May 17, 2022
@behnazh behnazh deleted the add-scorecard branch August 4, 2022 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenstroeger jenstroeger jenstroeger approved these changes

Assignees
No one assigned
Labels
ci Improvements or additions to CI checks security Security related features or bugs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@behnazh @jenstroeger