From f4f2dc7430c2cffcd8f98b037000e7bd11f28629 Mon Sep 17 00:00:00 2001 From: Matthieu MOREL Date: Thu, 22 Aug 2024 11:40:30 +0200 Subject: [PATCH] Setup scorecard workflow Signed-off-by: Matthieu MOREL --- .github/workflows/commands.yml | 2 +- .github/workflows/scorecard.yml | 40 +++++++++++++++++++++++++++++++++ .github/workflows/test.yaml | 36 +++++++++++++++++++---------- .yamllint => .yamllint.yaml | 1 + README.md | 3 +++ 5 files changed, 69 insertions(+), 13 deletions(-) create mode 100644 .github/workflows/scorecard.yml rename .yamllint => .yamllint.yaml (85%) diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml index f16ee679..09f73246 100644 --- a/.github/workflows/commands.yml +++ b/.github/workflows/commands.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Re-Test Action uses: ./.github/actions/retest-action diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..628a596f --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,40 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + push: + branches: + - main + schedule: + - cron: 29 15 * * 0 +permissions: read-all +jobs: + analysis: + name: Scorecard analysis + permissions: + id-token: write + security-events: write + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: Upload artifact + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24 # v3.26.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 5de61efe..cfc3f90c 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -10,30 +10,39 @@ env: jobs: lint: name: Lint + permissions: + contents: read + pull-requests: read runs-on: ubuntu-latest steps: - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 - - uses: ibiqlik/action-yamllint@v3 + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1 with: format: auto - - uses: golangci/golangci-lint-action@v6 + config_file: .yamllint.yaml + + - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 with: args: --verbose version: v1.57.1 + build: name: Build all linux architectures needs: lint runs-on: ubuntu-latest steps: - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Build on all supported architectures run: | @@ -49,10 +58,11 @@ jobs: runs-on: ubuntu-latest steps: - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Install test binaries run: | @@ -62,9 +72,9 @@ jobs: - name: test run: COVERALLS=1 ./test.sh - - name: Send coverage to coveralls - env: + - env: COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }} + name: Send coverage to coveralls run: | PATH=$PATH:$(go env GOPATH)/bin gover @@ -76,9 +86,11 @@ jobs: runs-on: windows-latest steps: - name: setup go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: ${{ env.GO_VERSION }} - - uses: actions/checkout@v4 + + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: test run: bash ./test.sh diff --git a/.yamllint b/.yamllint.yaml similarity index 85% rename from .yamllint rename to .yamllint.yaml index 579bc221..802e8c8b 100644 --- a/.yamllint +++ b/.yamllint.yaml @@ -3,6 +3,7 @@ extends: default rules: document-start: disable + line-length: disable truthy: ignore: | .github/workflows/*.yml diff --git a/README.md b/README.md index 1ad32e24..7b0c2148 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,9 @@ # CNI - the Container Network Interface +[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2446/badge)](https://bestpractices.coreinfrastructure.org/projects/2446) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/containernetworking/cni/badge)](https://securityscorecards.dev/viewer/?uri=github.com/containernetworking/cni) + ## What is CNI? CNI (_Container Network Interface_), a [Cloud Native Computing Foundation](https://cncf.io) project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins.