added prov generation for releases and scorecard cleanup

redhat-cop · Nov 28, 2023 · b962f74 · b962f74
1 parent 9244f4f
commit b962f74
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 19 deletions.
diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml
@@ -1,10 +1,9 @@
-name: Run validation checks
+name: Validate and Release
 
-on:
-  push:
-  pull_request:
-  schedule:
-    - cron: "0 0 1 * *"
+on: [push, pull_request]
+
+# Declare default permissions as read only.
+permissions: read-all
 
 jobs:
   validate:
@@ -18,7 +17,7 @@ jobs:
         env:
           SHELLCHECK_OPTS: -x
         with:
-          ignore: test
+          ignore_paths: test
 
       - name: Conftest - tests.sh
         uses: redhat-cop/github-actions/confbatstest@11f2ce27643eb7c76ac3623cb99d9b08be30d762 # v4
@@ -37,3 +36,52 @@ jobs:
             cat tests_fail.log
             exit 1
           fi
+
+      - name: Tar and Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          tar cvf bats-library.tar load.bash src/
+          
+          echo "hashes=$(sha256sum bats-library.tar | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload bats-library.tar
+        uses: actions/upload-artifact@v3
+        with:
+          name: bats-library.tar
+          path: bats-library.tar
+          if-no-files-found: error
+          retention-days: 5
+
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+  provenance:
+    needs: [validate]
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.validate.outputs.hashes }}"
+      upload-assets: true
+
+  release:
+    needs: [validate, provenance]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    permissions:
+      contents: write
+    steps:
+      - name: Download bats-library.tar
+        uses: actions/download-artifact@v3
+        with:
+          name: bats-library.tar
+
+      - name: Upload assets to release
+        uses: softprops/[email protected]
+        with:
+          files: |
+            bats-library.tar
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,2 @@
+# https://github.com/orgs/redhat-cop/teams/bats-mergers
+* @redhat-cop/bats-mergers
diff --git a/OWNERS b/OWNERS
diff --git a/README.md b/README.md
@@ -1,4 +1,5 @@
 ![Run validation checks](https://github.com/redhat-cop/bats-library/workflows/Run%20validation%20checks/badge.svg)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/redhat-cop/bats-library/badge)](https://securityscorecards.dev/viewer/?uri=github.com/redhat-cop/bats-library)
 
 # 🦇BATS Library 🦇
 [Bash Automated Testing System](https://github.com/bats-core/bats-core) Library - a collection of `test_helper` functions and files 

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest version is supported.
+
+## Reporting a Vulnerability
+
+For any issues or concerns, please contact: [@container-cop-core](https://github.com/orgs/redhat-cop/teams/container-cop-core)
diff --git a/renovate.json b/renovate.json
@@ -3,5 +3,19 @@
   "extends": [
     "config:best-practices",
     "schedule:earlyMondays"
+  ],
+  "packageRules": [
+    {
+      "matchDepTypes": [
+        "action"
+      ],
+      "matchPackageNames": [
+        "slsa-framework/slsa-github-generator"
+      ],
+      "matchUpdateTypes": [
+        "pinDigest"
+      ],
+      "enabled": false
+    }
   ]
 }