diff --git a/.github/workflows/validate.yaml b/.github/workflows/validate.yaml index 8040559..dcf6225 100644 --- a/.github/workflows/validate.yaml +++ b/.github/workflows/validate.yaml @@ -1,10 +1,9 @@ -name: Run validation checks +name: Validate and Release -on: - push: - pull_request: - schedule: - - cron: "0 0 1 * *" +on: [push, pull_request] + +# Declare default permissions as read only. +permissions: read-all jobs: validate: @@ -18,7 +17,7 @@ jobs: env: SHELLCHECK_OPTS: -x with: - ignore: test + ignore_paths: test - name: Conftest - tests.sh uses: redhat-cop/github-actions/confbatstest@11f2ce27643eb7c76ac3623cb99d9b08be30d762 # v4 @@ -37,3 +36,52 @@ jobs: cat tests_fail.log exit 1 fi + + - name: Tar and Generate hashes + shell: bash + id: hash + run: | + tar cvf bats-library.tar load.bash src/ + + echo "hashes=$(sha256sum bats-library.tar | base64 -w0)" >> "$GITHUB_OUTPUT" + + - name: Upload bats-library.tar + uses: actions/upload-artifact@v3 + with: + name: bats-library.tar + path: bats-library.tar + if-no-files-found: error + retention-days: 5 + + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + + provenance: + needs: [validate] + if: startsWith(github.ref, 'refs/tags/') + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.validate.outputs.hashes }}" + upload-assets: true + + release: + needs: [validate, provenance] + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') + permissions: + contents: write + steps: + - name: Download bats-library.tar + uses: actions/download-artifact@v3 + with: + name: bats-library.tar + + - name: Upload assets to release + uses: softprops/action-gh-release@v0.1.15 + with: + files: | + bats-library.tar diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000..69a16ed --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,2 @@ +# https://github.com/orgs/redhat-cop/teams/bats-mergers +* @redhat-cop/bats-mergers \ No newline at end of file diff --git a/OWNERS b/OWNERS deleted file mode 100644 index 1521a35..0000000 --- a/OWNERS +++ /dev/null @@ -1,12 +0,0 @@ -# See the OWNERS docs at https://go.k8s.io/owners - -reviewers: - - garethahealy - - pabrahamsson - - springdo - - ckavili -approvers: - - garethahealy - - pabrahamsson - - springdo - - ckavili diff --git a/README.md b/README.md index 1506f10..6af1930 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ ![Run validation checks](https://github.com/redhat-cop/bats-library/workflows/Run%20validation%20checks/badge.svg) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/redhat-cop/bats-library/badge)](https://securityscorecards.dev/viewer/?uri=github.com/redhat-cop/bats-library) # 🦇BATS Library 🦇 [Bash Automated Testing System](https://github.com/bats-core/bats-core) Library - a collection of `test_helper` functions and files diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..cd856d7 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,9 @@ +# Security Policy + +## Supported Versions + +Only the latest version is supported. + +## Reporting a Vulnerability + +For any issues or concerns, please contact: [@container-cop-core](https://github.com/orgs/redhat-cop/teams/container-cop-core) \ No newline at end of file diff --git a/renovate.json b/renovate.json index 01ae43a..d84a1bb 100644 --- a/renovate.json +++ b/renovate.json @@ -3,5 +3,19 @@ "extends": [ "config:best-practices", "schedule:earlyMondays" + ], + "packageRules": [ + { + "matchDepTypes": [ + "action" + ], + "matchPackageNames": [ + "slsa-framework/slsa-github-generator" + ], + "matchUpdateTypes": [ + "pinDigest" + ], + "enabled": false + } ] }