feat(security): add OpenSSF Scorecard workflow and maximize score (#498)

* feat(security): add OpenSSF Scorecard workflow and maximize score - Add scorecard.yml workflow (weekly + push to main) with SARIF upload - Add CONTRIBUTING.md for contributor guidelines - Add SLSA provenance attestation job to release workflow - Add CycloneDX SBOM generation job to release workflow - Pin Dockerfile base images to sha256 digests - Enable Renovate pinDigests and platformAutomerge - Add OpenSSF Scorecard badge to README * fix(docs): address PR #498 review comments and remove .coderabbit.yaml - Delete .coderabbit.yaml (falls back to shared org-level config) - Add missing linter deps to CONTRIBUTING.md install step - Separate make all and make test into distinct steps - Fix line length note to match EditorConfig (200 chars, no MD override) - Add yamllint/markdownlint to YAML/JSON/Markdown linter list - Refine action references guidance - Expand "Adding a New Action" section with action-docs and catalog info
2026-03-09 23:57:12 +00:00 · 2026-03-09 01:59:07 +02:00
parent 34372bcd36
commit a0cc32995f
8 changed files with 295 additions and 86 deletions
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,75 @@
+# Contributing to ivuorinen/actions
+
+Thank you for your interest in contributing to this GitHub Actions monorepo.
+
+## Reporting Issues
+
+- **Bugs**: Open an issue using the bug report template.
+- **Security vulnerabilities**: See [SECURITY.md](SECURITY.md) for responsible disclosure.
+- **Feature requests**: Open an issue describing the use case.
+
+## Development Setup
+
+1. Clone the repository:
+
+   ```bash
+   git clone https://github.com/ivuorinen/actions.git
+   cd actions
+   ```
+
+2. Install dependencies (Node.js, Python 3, ShellSpec, shellcheck, actionlint, ruff, prettier, markdownlint, yamllint).
+3. Run formatting, linting, and pre-commit checks:
+
+   ```bash
+   make all
+   ```
+
+4. Run the test suite:
+
+   ```bash
+   make test
+   ```
+
+## Code Style
+
+- **EditorConfig**: 2-space indentation, UTF-8, LF line endings, max 200 chars.
+- **Shell scripts**: POSIX `sh` with `set -eu`. No bash-only syntax.
+- **Python**: Formatted and linted with `ruff`.
+- **YAML/JSON/Markdown**: Formatted with `prettier`; linted with `yamllint` and `markdownlint`.
+- **Action references**: SHA-pinned in `action.yml` files. Date-based tags or commit SHAs for published refs.
+
+Run `make dev` (format + lint) to check your changes.
+
+## Pull Request Process
+
+1. Branch from `main`.
+2. Make focused changes (one feature or fix per PR).
+3. Ensure all checks pass: `make all` and `make test`.
+4. Follow existing patterns in the codebase.
+5. Update documentation if adding or modifying actions.
+
+## Testing
+
+```bash
+make test              # All tests (ShellSpec + pytest)
+make test-actions      # GitHub Actions tests only
+make test-python       # Python validation tests only
+make test-coverage     # All tests with coverage
+```
+
+See [\_tests/README.md](_tests/README.md) for details on the ShellSpec testing framework.
+
+## Adding a New Action
+
+Each action is a self-contained directory at the repository root containing:
+
+- `action.yml` with inputs, outputs, and runs definition
+- `README.md` generated via `action-docs` (`make docs`)
+- Tests in `_tests/`
+
+Do not manually edit sections between `<!--LISTING-->` markers in the root README.
+Use `npm run update-catalog` to regenerate the catalog.
+
+## License
+
+By contributing, you agree that your contributions will be licensed under the [MIT License](LICENSE.md).