From 423b0aa6df803c65e54a3f37cfc53c952c41ba00 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Thu, 29 Aug 2024 09:08:04 +0000 Subject: [PATCH] Setup scorecard workflow Signed-off-by: Matthieu MOREL --- .github/actions/retest-action/Dockerfile | 2 +- .github/workflows/commands.yml | 2 +- .github/workflows/release.yaml | 12 +++---- .github/workflows/scorecard.yml | 40 ++++++++++++++++++++++++ .github/workflows/test.yaml | 23 ++++++++------ README.md | 1 + 6 files changed, 62 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/actions/retest-action/Dockerfile b/.github/actions/retest-action/Dockerfile index 8efd99bb8..9689dd882 100644 --- a/.github/actions/retest-action/Dockerfile +++ b/.github/actions/retest-action/Dockerfile @@ -1,4 +1,4 @@ -FROM alpine:3.20 +FROM alpine:3.20@sha256:0a4eaa0eecf5f8c050e5bba433f58c052be7587ee8af3e8b3910ef9ab5fbe9f5 RUN apk add --no-cache curl jq diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index c306e0bd5..4bfcef1fb 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Re-Test Action uses: ./.github/actions/retest-action diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index db8d8315b..2784560ea 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -14,10 +14,10 @@ jobs: goarch: [amd64, arm, arm64, mips64le, ppc64le, riscv64, s390x] steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -50,7 +50,7 @@ jobs: run: sha512sum cni-plugins-linux-${{ matrix.goarch }}-${{ github.ref_name }}.tgz | tee cni-plugins-linux-${{ matrix.goarch }}-${{ github.ref_name }}.tgz.sha512 - name: Upload binaries to release - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: ./dist/* @@ -69,10 +69,10 @@ jobs: run: sudo apt-get install dos2unix - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod @@ -105,7 +105,7 @@ jobs: run: sha512sum cni-plugins-windows-${{ matrix.goarch }}-${{ github.ref_name }}.tgz | tee cni-plugins-windows-${{ matrix.goarch }}-${{ github.ref_name }}.tgz.sha512 - name: Upload binaries to release - uses: svenstaro/upload-release-action@v2 + uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} file: ./dist/* diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..628a596f7 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,40 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + push: + branches: + - main + schedule: + - cron: 29 15 * * 0 +permissions: read-all +jobs: + analysis: + name: Scorecard analysis + permissions: + id-token: write + security-events: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload artifact + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index f7ea94256..497bb3b97 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -9,18 +9,21 @@ env: jobs: lint: + permissions: + contents: read # for actions/checkout to fetch code + pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: Lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - - uses: ibiqlik/action-yamllint@v3 + - uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1 with: format: auto - - uses: golangci/golangci-lint-action@v6 + - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: version: v1.61.0 args: -v @@ -43,9 +46,9 @@ jobs: needs: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - name: Build on all supported architectures @@ -71,9 +74,9 @@ jobs: run: | sudo apt-get install dnsmasq sudo systemctl disable --now dnsmasq - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - name: Set up Go for root @@ -102,9 +105,9 @@ jobs: needs: build runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: go.mod - name: test diff --git a/README.md b/README.md index 6ffe5e294..e9504d37c 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,5 @@ [![test](https://github.com/containernetworking/plugins/actions/workflows/test.yaml/badge.svg)](https://github.com/containernetworking/plugins/actions/workflows/test.yaml?query=branch%3Amaster) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/containernetworking/plugins/badge)](https://securityscorecards.dev/viewer/?uri=github.com/containernetworking/plugins) # Plugins Some CNI network plugins, maintained by the containernetworking team. For more information, see the [CNI website](https://www.cni.dev).