Skip to content

Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138) #2

Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138)

Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138) #2

Workflow file for this run

# TODO: maybe cache actions/checkout's output
name: General tests
on:
workflow_call:
inputs:
node-code-pre-test:
required: false
type: string
secrets:
SNYK_TOKEN:
required: false
outputs:
run-snyk:
value: ${{ jobs.run-snyk.outputs.run-snyk }}
permissions: {}
jobs:
scorecard:
if: github.event_name == 'pull_request' || github.ref == 'refs/heads/dev'
name: Check supply chain with Scorecard
permissions:
security-events: write
actions: read
contents: read
issues: read
pull-requests: read
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
auth.docker.io:443
index.docker.io:443
api.osv.dev:443
www.bestpractices.dev:443
bestpractices.coreinfrastructure.org:443
oss-fuzz-build-logs.storage.googleapis.com:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
persist-credentials: false
show-progress: false
- name: Run analysis
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534
with:
results_file: scorecard.sarif
results_format: sarif
- name: Upload output
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
with:
name: Scorecard
path: scorecard.sarif
- name: Upload SARIF to dashboard
if: "!github.event.repository.private"
uses: github/codeql-action/upload-sarif@f31a31c052207cc13b328d6295c5b728bb49568c
with:
sarif_file: scorecard.sarif
category: Scorecard
dependency-review:
if: "!github.event.repository.private"
name: Dependency review
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
persist-credentials: false
show-progress: false
- name: Dependency review
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70
with:
base-ref: ${{ github.base_ref || 'dev' }}
head-ref: ${{ github.head_ref || github.event.after || 'dev' }}
codeql:
if: "!github.event.repository.private"
name: CodeQL scan
permissions:
security-events: write
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
uploads.github.com:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
ghcr.io:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
persist-credentials: false
show-progress: false
- name: Init
uses: github/codeql-action/init@f31a31c052207cc13b328d6295c5b728bb49568c
with:
languages: javascript
packs: codeql/[email protected]
queries: security-and-quality, security-experimental
- name: Scan
uses: github/codeql-action/analyze@f31a31c052207cc13b328d6295c5b728bb49568c
run-snyk:
name: Run Snyk?
runs-on: ubuntu-latest
outputs:
run-snyk: ${{ steps.set-outputs.outputs.run-snyk }}
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: ''
- name: Set outputs
id: set-outputs
run: |
echo "run-snyk=${{ secrets.SNYK_TOKEN != '' }}" >> $GITHUB_OUTPUT
snyk-js:
if: needs.run-snyk.outputs.run-snyk == 'true'
needs: run-snyk
name: Check JS code for vulnerabilities with Snyk
permissions:
security-events: write
contents: read
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
api.snyk.io:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
persist-credentials: false
show-progress: false
- name: Run Snyk
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --sarif-file-output=snyk-js.sarif --all-projects
continue-on-error: true
- name: Replace security-severity for license-related findings # https://github.com/github/codeql-action/issues/2187
run: sed -i 's/"security-severity": "(undefined|null)"/"security-severity": "0"/g' snyk-js.sarif

Check failure on line 173 in .github/workflows/build-general.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/build-general.yml

Invalid workflow file

You have an error in your yaml syntax on line 173
- name: Upload output
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
with:
name: Snyk (JS)
path: snyk-js.sarif
- name: Upload SARIF to dashboard
if: "!github.event.repository.private"
uses: github/codeql-action/upload-sarif@f31a31c052207cc13b328d6295c5b728bb49568c
with:
category: Snyk (JS)
sarif_file: snyk-js.sarif
test-unit:
if: "inputs.node-code-pre-test != 'DISABLE'"
name: Run unit tests
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
persist-credentials: false
show-progress: false
- name: Run unit tests
uses: warriors-life/.warriors-life-workflows/run-unit-tests@dev
with:
node-code-pre-test: ${{ inputs.node-code-pre-test }}