diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 9cddfa1954..8712277b24 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -10,6 +10,6 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: build and test - run: make docker_tests \ No newline at end of file + run: make docker_tests diff --git a/.github/workflows/envoy-sync.yaml b/.github/workflows/envoy-sync.yaml index 2e3890a2b8..c0b3f3f753 100644 --- a/.github/workflows/envoy-sync.yaml +++ b/.github/workflows/envoy-sync.yaml @@ -22,14 +22,14 @@ jobs: }} steps: - id: appauth - uses: envoyproxy/toolshed/gh-actions/appauth@actions-v0.1.83 + uses: envoyproxy/toolshed/gh-actions/appauth@5ef04d5f8144dc3a1a8c05bd81b0ef267c0849f5 # actions-v0.1.83 with: key: ${{ secrets.ENVOY_CI_UPDATE_BOT_KEY }} app_id: ${{ secrets.ENVOY_CI_UPDATE_APP_ID }} # Checkout the repo - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: ref: main fetch-depth: 0 @@ -37,7 +37,7 @@ jobs: # Checkout the Envoy repo - name: 'Checkout Repository' - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: envoyproxy/envoy ref: main diff --git a/.github/workflows/golangci-lint.yaml b/.github/workflows/golangci-lint.yaml index 551d22c1c6..b5f390ffd4 100644 --- a/.github/workflows/golangci-lint.yaml +++ b/.github/workflows/golangci-lint.yaml @@ -7,9 +7,9 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 with: version: latest only-new-issues: true diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000000..8c4bb04b2b --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,45 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 13 * * 5' + push: + branches: + - "main" + +permissions: + contents: read + + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-22.04 + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + sarif_file: results.sarif diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 0f14f7b0a7..7dcc7a0308 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -10,7 +10,7 @@ jobs: steps: - name: Prune Stale - uses: actions/stale@v7 + uses: actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Different amounts of days for issues/PRs are not currently supported but there is a PR diff --git a/README.md b/README.md index 0eca9b5015..2bb0d57f2f 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ # control-plane +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/envoyproxy/go-control-plane/badge)](https://api.securityscorecards.dev/projects/github.com/envoyproxy/go-control-plane) ![CI Status](https://github.com/envoyproxy/go-control-plane/actions/workflows/ci.yaml/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/envoyproxy/go-control-plane)](https://goreportcard.com/report/github.com/envoyproxy/go-control-plane) [![GoDoc](https://pkg.go.dev/badge/github.com/envoyproxy/go-control-plane.svg)](https://pkg.go.dev/github.com/envoyproxy/go-control-plane)