diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml new file mode 100644 index 0000000..3c3dbeb --- /dev/null +++ b/.github/workflows/ossf-scorecard.yml @@ -0,0 +1,44 @@ +name: OSSF Scorecard Analysis + +# **What it does**: Runs OSSF Scorecard analysis on the repository and uploads the results. +# **Why we have it**: Security scanning. + +on: + branch_protection_rule: + push: + branches: + - main + paths-ignore: + - "**/*.md" + schedule: + # ┌───────────── minute (0 - 59) + # │ ┌───────────── hour (0 - 23) + # │ │ ┌───────────── day of the month (1 - 31) + # │ │ │ ┌───────────── month (1 - 12 or JAN-DEC) + # │ │ │ │ ┌───────────── day of the week (0 - 6 or SUN-SAT) + # │ │ │ │ │ + # │ │ │ │ │ + # │ │ │ │ │ + # * * * * * + - cron: "21 17 * * 0" + # Allows this workflow to be run manually from the Actions tab + workflow_dispatch: + +# This allows a subsequently queued workflow run to interrupt previous runs +concurrency: + group: "${{ github.workflow }}-${{ github.event.pull_request.head.label || github.head_ref || github.ref }}" + cancel-in-progress: true + +permissions: + contents: read + +jobs: + analysis: + name: OSSF Scorecard Analysis + permissions: + contents: read + id-token: write + security-events: write + uses: ./.github/workflows/reusable-ossf-scorecard.yml + with: + publish_results: true diff --git a/.github/workflows/reusable-ossf-scorecard.yml b/.github/workflows/reusable-ossf-scorecard.yml new file mode 100644 index 0000000..33b781d --- /dev/null +++ b/.github/workflows/reusable-ossf-scorecard.yml @@ -0,0 +1,49 @@ +name: Reusable OSSF Scorecard Analysis + +# **What it does**: Runs OSSF Scorecard analysis on the repository and uploads the results. +# **Why we have it**: Security scanning. + +on: + workflow_call: + inputs: + publish_results: + description: "Set to true to publish results. Only works when run from the default branch." + required: false + type: boolean + default: true + +permissions: {} + +jobs: + analysis: + name: Scorecard Analysis + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + security-events: write + + steps: + - name: Check out repo + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + + - name: Perform OSSF Scorecard analysis + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: ${{ inputs.publish_results && github.ref_name == github.event.repository.default_branch }} + + - name: Upload artifact + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to Code Scanning + uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 37e9180..49adadc 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,8 @@ # Workflows +[![GitHub release](https://img.shields.io/github/v/release/fastify/workflows)](https://github.com/fastify/workflows/releases/latest) +[![OSSF Scorecard](https://api.scorecard.dev/projects/github.com/fastify/workflows/badge)](https://scorecard.dev/viewer/?uri=github.com/fastify/workflows) + Reusable workflows for use in the Fastify organization. ## Intro