Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138) #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# TODO: maybe cache actions/checkout's output | ||
name: General tests | ||
on: | ||
workflow_call: | ||
inputs: | ||
node-code-pre-test: | ||
required: false | ||
type: string | ||
secrets: | ||
SNYK_TOKEN: | ||
required: false | ||
outputs: | ||
run-snyk: | ||
value: ${{ jobs.run-snyk.outputs.run-snyk }} | ||
permissions: {} | ||
jobs: | ||
scorecard: | ||
if: github.event_name == 'pull_request' || github.ref == 'refs/heads/dev' | ||
name: Check supply chain with Scorecard | ||
permissions: | ||
security-events: write | ||
actions: read | ||
contents: read | ||
issues: read | ||
pull-requests: read | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
github.com:443 | ||
auth.docker.io:443 | ||
index.docker.io:443 | ||
api.osv.dev:443 | ||
www.bestpractices.dev:443 | ||
bestpractices.coreinfrastructure.org:443 | ||
oss-fuzz-build-logs.storage.googleapis.com:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Run analysis | ||
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 | ||
with: | ||
results_file: scorecard.sarif | ||
results_format: sarif | ||
- name: Upload output | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 | ||
with: | ||
name: Scorecard | ||
path: scorecard.sarif | ||
- name: Upload SARIF to dashboard | ||
if: "!github.event.repository.private" | ||
uses: github/codeql-action/upload-sarif@f31a31c052207cc13b328d6295c5b728bb49568c | ||
with: | ||
sarif_file: scorecard.sarif | ||
category: Scorecard | ||
dependency-review: | ||
if: "!github.event.repository.private" | ||
name: Dependency review | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
github.com:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Dependency review | ||
uses: actions/dependency-review-action@0c155c5e8556a497adf53f2c18edabf945ed8e70 | ||
with: | ||
base-ref: ${{ github.base_ref || 'dev' }} | ||
head-ref: ${{ github.head_ref || github.event.after || 'dev' }} | ||
codeql: | ||
if: "!github.event.repository.private" | ||
name: CodeQL scan | ||
permissions: | ||
security-events: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
uploads.github.com:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
pkg-containers.githubusercontent.com:443 | ||
ghcr.io:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Init | ||
uses: github/codeql-action/init@f31a31c052207cc13b328d6295c5b728bb49568c | ||
with: | ||
languages: javascript | ||
packs: codeql/[email protected] | ||
queries: security-and-quality, security-experimental | ||
- name: Scan | ||
uses: github/codeql-action/analyze@f31a31c052207cc13b328d6295c5b728bb49568c | ||
run-snyk: | ||
name: Run Snyk? | ||
runs-on: ubuntu-latest | ||
outputs: | ||
run-snyk: ${{ steps.set-outputs.outputs.run-snyk }} | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: '' | ||
- name: Set outputs | ||
id: set-outputs | ||
run: | | ||
echo "run-snyk=${{ secrets.SNYK_TOKEN != '' }}" >> $GITHUB_OUTPUT | ||
snyk-js: | ||
if: needs.run-snyk.outputs.run-snyk == 'true' | ||
needs: run-snyk | ||
name: Check JS code for vulnerabilities with Snyk | ||
permissions: | ||
security-events: write | ||
contents: read | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
github.com:443 | ||
api.snyk.io:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Run Snyk | ||
uses: snyk/actions/node@b98d498629f1c368650224d6d212bf7dfa89e4bf | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
args: --sarif-file-output=snyk-js.sarif --all-projects | ||
continue-on-error: true | ||
- name: Replace security-severity for license-related findings # https://github.com/github/codeql-action/issues/2187 | ||
run: sed -i 's/"security-severity": "(undefined|null)"/"security-severity": "0"/g' snyk-js.sarif | ||
- name: Upload output | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 | ||
with: | ||
name: Snyk (JS) | ||
path: snyk-js.sarif | ||
- name: Upload SARIF to dashboard | ||
if: "!github.event.repository.private" | ||
uses: github/codeql-action/upload-sarif@f31a31c052207cc13b328d6295c5b728bb49568c | ||
with: | ||
category: Snyk (JS) | ||
sarif_file: snyk-js.sarif | ||
test-unit: | ||
if: "inputs.node-code-pre-test != 'DISABLE'" | ||
name: Run unit tests | ||
permissions: | ||
contents: read | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
registry.npmjs.org:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Run unit tests | ||
uses: warriors-life/.warriors-life-workflows/run-unit-tests@dev | ||
with: | ||
node-code-pre-test: ${{ inputs.node-code-pre-test }} |