Skip to content

Open Source Security Foundation #14

Open Source Security Foundation

Open Source Security Foundation #14

## %CopyrightBegin%
##
## Copyright Ericsson AB 2024. All Rights Reserved.
##
## Licensed under the Apache License, Version 2.0 (the "License");
## you may not use this file except in compliance with the License.
## You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
##
## %CopyrightEnd%
## This workflow continually scan the master branch to make sure that
## the correct compiler flags are used when testing Erlang/OTP on github.
name: Open Source Security Foundation
on:
workflow_dispatch:
schedule:
- cron: 0 1 * * *
permissions:
contents: read
jobs:
schedule-scan:
runs-on: ubuntu-latest
if: github.repository == 'erlang/otp'
permissions:
# Required to upload SARIF file to CodeQL.
# See: https://github.com/github/codeql-action/issues/2117
actions: read
# Require writing security events to upload SARIF file to security tab
security-events: write
# Only need to read contents
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
- name: Create initial pre-release tar
run: .github/scripts/init-pre-release.sh otp_src.tar.gz
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]
with:
repository: ossf/wg-best-practices-os-developers
sparse-checkout: docs/Compiler-Hardening-Guides/compiler-options-scraper
path: ossf
- name: Setup compiler options scraper
run: |
pip3 install -r ossf/docs/Compiler-Hardening-Guides/compiler-options-scraper/requirements.txt
python3 ossf/docs/Compiler-Hardening-Guides/compiler-options-scraper/main.py
cat compiler-options.json
- uses: ./.github/actions/build-base-image
with:
BASE_BRANCH: master
BUILD_IMAGE: true
- name: Run compiler flag comparison
run: |
docker run -v `pwd`/.github/scripts:/github --entrypoint "" otp \
bash -c "/github/ossf-sarif-generator.es '$(cat compiler-options.json)'" > results.sarif
- name: "Upload artifact"
if: ${{ !cancelled() }}
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 ratchet:actions/upload-artifact@v4
with:
name: SARIF file
path: results.sarif
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: ${{ !cancelled() }}
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # ratchet:github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif