Setup scorecard workflow and pin actions versions (#845)

Signed-off-by: Matthieu MOREL <[email protected]>

.github/workflows/ci.yaml

@@ -10,6 +10,6 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
       - name: build and test
-        run: make docker_tests
+        run: make docker_tests

.github/workflows/envoy-sync.yaml

@@ -22,22 +22,22 @@ jobs:
       }}
     steps:
     - id: appauth
-      uses: envoyproxy/toolshed/gh-actions/[email protected]
+      uses: envoyproxy/toolshed/gh-actions/appauth@5ef04d5f8144dc3a1a8c05bd81b0ef267c0849f5  # actions-v0.1.83
       with:
         key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }}
         app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }}
 
     # Checkout the repo
     - name: 'Checkout Repository'
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
       with:
         ref: main
         fetch-depth: 0
         token: ${{ steps.appauth.outputs.token }}
 
     # Checkout the Envoy repo
     - name: 'Checkout Repository'
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
       with:
         repository: envoyproxy/envoy
         ref: main

.github/workflows/golangci-lint.yaml

@@ -7,9 +7,9 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3
+        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc  # v3.7.0
         with:
           version: latest
           only-new-issues: true

.github/workflows/scorecard.yml

@@ -0,0 +1,45 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+  - cron: '33 13 * * 5'
+  push:
+    branches:
+    - "main"
+
+permissions:
+  contents: read
+
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+    - name: "Checkout code"
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+      with:
+        persist-credentials: false
+
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736  # v2.3.1
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        publish_results: true
+
+    - name: "Upload artifact"
+      uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8  # v3.1.0
+      with:
+        name: SARIF file
+        path: results.sarif
+        retention-days: 5
+
+    - name: "Upload to code-scanning"
+      uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4  # v3.22.12
+      with:
+        sarif_file: results.sarif

.github/workflows/stale.yaml

@@ -10,7 +10,7 @@ jobs:
 
     steps:
     - name: Prune Stale
-      uses: actions/stale@v7
+      uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b  # v7.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         # Different amounts of days for issues/PRs are not currently supported but there is a PR

README.md

@@ -1,5 +1,6 @@
 # control-plane
 
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/go-control-plane/badge)](https://api.securityscorecards.dev/projects/github.com/envoyproxy/go-control-plane)
 ![CI Status](https://github.com/envoyproxy/go-control-plane/actions/workflows/ci.yaml/badge.svg)
 [![Go Report Card](https://goreportcard.com/badge/github.com/envoyproxy/go-control-plane)](https://goreportcard.com/report/github.com/envoyproxy/go-control-plane)
 [![GoDoc](https://pkg.go.dev/badge/github.com/envoyproxy/go-control-plane.svg)](https://pkg.go.dev/github.com/envoyproxy/go-control-plane)