ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-03-10 01:57:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(security): add OpenSSF Scorecard workflow and maximize score (#498)

Browse Source 
* feat(security): add OpenSSF Scorecard workflow and maximize score

- Add scorecard.yml workflow (weekly + push to main) with SARIF upload
- Add CONTRIBUTING.md for contributor guidelines
- Add SLSA provenance attestation job to release workflow
- Add CycloneDX SBOM generation job to release workflow
- Pin Dockerfile base images to sha256 digests
- Enable Renovate pinDigests and platformAutomerge
- Add OpenSSF Scorecard badge to README

* fix(docs): address PR #498 review comments and remove .coderabbit.yaml

- Delete .coderabbit.yaml (falls back to shared org-level config)
- Add missing linter deps to CONTRIBUTING.md install step
- Separate make all and make test into distinct steps
- Fix line length note to match EditorConfig (200 chars, no MD override)
- Add yamllint/markdownlint to YAML/JSON/Markdown linter list
- Refine action references guidance
- Expand "Adding a New Action" section with action-docs and catalog info
This commit is contained in:
Ismo Vuorinen
2026-03-09 01:59:07 +02:00
committed by GitHub
parent 34372bcd36
commit a0cc32995f
8 changed files with 295 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/renovate.json vendored
View File

@@ -4,6 +4,8 @@
"github>ivuorinen/renovate-config",
"customManagers:biomeVersions"
],
"pinDigests": true,
"platformAutomerge": true,
"packageRules": [
{
"matchUpdateTypes": [

46
.github/workflows/release.yml vendored
View File

@@ -19,3 +19,49 @@ jobs:
- uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
generate_release_notes: true
provenance:
needs: release
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
attestations: write
steps:
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
- name: Create source archive
env:
TAG: ${{ github.ref_name }}
run: |
set -eu
git archive --format=tar.gz --prefix="${TAG}/" HEAD > "${TAG}-source.tar.gz"
sha256sum "${TAG}-source.tar.gz" > "${TAG}-source.tar.gz.sha256"
- uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
with:
subject-path: '${{ github.ref_name }}-source.tar.gz'
- name: Upload release assets
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ github.ref_name }}
run: |
set -eu
gh release upload "$TAG" "${TAG}-source.tar.gz" "${TAG}-source.tar.gz.sha256" --clobber
sbom:
needs: release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
- uses: anchore/sbom-action@e11c554f704a0b820cbf8c51673f6945e0731532 # v0.20.0
with:
format: cyclonedx-json
output-file: sbom.cdx.json
- name: Upload SBOM to release
env:
GH_TOKEN: ${{ github.token }}
TAG: ${{ github.ref_name }}
run: |
set -eu
gh release upload "$TAG" sbom.cdx.json --clobber

37
.github/workflows/scorecard.yml vendored Normal file
View File

@@ -0,0 +1,37 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: OpenSSF Scorecard
on:
push:
branches: [main]
schedule:
- cron: '0 2 * * 0' # Weekly Sunday 2AM UTC
permissions: {}
jobs:
analysis:
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write
contents: read
actions: read
steps:
- uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
with:
persist-credentials: false
- uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
with:
results_file: results.sarif
results_format: sarif
publish_results: true
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: SARIF file
path: results.sarif
retention-days: 5
- uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
with:
sarif_file: results.sarif