mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-25 07:49:19 -04:00 
			
		
		
		
	ci: add dep review, OSSF scorecard actions (#7063)
* ci: add dep review action Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> * sprinkle permissions on Actions jobs Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> * README: add OpenSSF best practices badge Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> * add draft OpenSSF Scorecard workflow Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com> --------- Signed-off-by: Mohammed Al Sahaf <msaa1990@gmail.com>
This commit is contained in:
		
							parent
							
								
									e633d013f6
								
							
						
					
					
						commit
						7a33f481f1
					
				
							
								
								
									
										11
									
								
								.github/workflows/ci.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										11
									
								
								.github/workflows/ci.yml
									
									
									
									
										vendored
									
									
								
							| @ -55,7 +55,10 @@ jobs: | ||||
|           SUCCESS: 'True' | ||||
| 
 | ||||
|     runs-on: ${{ matrix.OS_LABEL }} | ||||
| 
 | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: read | ||||
|       actions: write # to allow uploading artifacts and cache | ||||
|     steps: | ||||
|     - name: Checkout code | ||||
|       uses: actions/checkout@v4 | ||||
| @ -142,6 +145,9 @@ jobs: | ||||
| 
 | ||||
|   s390x-test: | ||||
|     name: test (s390x on IBM Z) | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: read | ||||
|     runs-on: ubuntu-latest | ||||
|     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]' | ||||
|     continue-on-error: true  # August 2020: s390x VM is down due to weather and power issues | ||||
| @ -194,6 +200,9 @@ jobs: | ||||
| 
 | ||||
|   goreleaser-check: | ||||
|     runs-on: ubuntu-latest | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: read | ||||
|     if: github.event.pull_request.head.repo.full_name == 'caddyserver/caddy' && github.actor != 'dependabot[bot]' | ||||
|     steps: | ||||
|       - name: Checkout code | ||||
|  | ||||
							
								
								
									
										3
									
								
								.github/workflows/cross-build.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								.github/workflows/cross-build.yml
									
									
									
									
										vendored
									
									
								
							| @ -40,6 +40,9 @@ jobs: | ||||
|           GO_SEMVER: '~1.24.1' | ||||
| 
 | ||||
|     runs-on: ubuntu-latest | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: read | ||||
|     continue-on-error: true | ||||
|     steps: | ||||
|       - name: Checkout code | ||||
|  | ||||
							
								
								
									
										16
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										16
									
								
								.github/workflows/lint.yml
									
									
									
									
										vendored
									
									
								
							| @ -62,6 +62,9 @@ jobs: | ||||
|           # only-new-issues: true | ||||
| 
 | ||||
|   govulncheck: | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: read | ||||
|     runs-on: ubuntu-latest | ||||
|     steps: | ||||
|       - name: govulncheck | ||||
| @ -69,3 +72,16 @@ jobs: | ||||
|         with: | ||||
|           go-version-input: '~1.24.1' | ||||
|           check-latest: true | ||||
|    | ||||
|   dependency-review: | ||||
|     runs-on: ubuntu-latest | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: write | ||||
|     steps: | ||||
|       - name: 'Checkout Repository' | ||||
|         uses: actions/checkout@v4 | ||||
|       - name: 'Dependency Review' | ||||
|         uses: actions/dependency-review-action@v4 | ||||
|         with: | ||||
|           comment-summary-in-pr: on-failure | ||||
|  | ||||
							
								
								
									
										5
									
								
								.github/workflows/release_published.yml
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										5
									
								
								.github/workflows/release_published.yml
									
									
									
									
										vendored
									
									
								
							| @ -13,7 +13,10 @@ jobs: | ||||
|         os:  | ||||
|           - ubuntu-latest | ||||
|     runs-on: ${{ matrix.os }} | ||||
| 
 | ||||
|     permissions: | ||||
|       contents: read | ||||
|       pull-requests: read | ||||
|       actions: write | ||||
|     steps: | ||||
| 
 | ||||
|     # See https://github.com/peter-evans/repository-dispatch | ||||
|  | ||||
							
								
								
									
										78
									
								
								.github/workflows/scorecard.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										78
									
								
								.github/workflows/scorecard.yml
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @ -0,0 +1,78 @@ | ||||
| # This workflow uses actions that are not certified by GitHub. They are provided | ||||
| # by a third-party and are governed by separate terms of service, privacy | ||||
| # policy, and support documentation. | ||||
| 
 | ||||
| name: OpenSSF Scorecard supply-chain security | ||||
| on: | ||||
|   # For Branch-Protection check. Only the default branch is supported. See | ||||
|   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection | ||||
|   branch_protection_rule: | ||||
|   # To guarantee Maintained check is occasionally updated. See | ||||
|   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained | ||||
|   schedule: | ||||
|     - cron: '20 2 * * 5' | ||||
|   push: | ||||
|     branches: [ "master" ] | ||||
| 
 | ||||
| # Declare default permissions as read only. | ||||
| permissions: read-all | ||||
| 
 | ||||
| jobs: | ||||
|   analysis: | ||||
|     name: Scorecard analysis | ||||
|     runs-on: ubuntu-latest | ||||
|     # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. | ||||
|     if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' | ||||
|     permissions: | ||||
|       # Needed to upload the results to code-scanning dashboard. | ||||
|       security-events: write | ||||
|       # Needed to publish results and get a badge (see publish_results below). | ||||
|       id-token: write | ||||
|       # Uncomment the permissions below if installing in a private repository. | ||||
|       # contents: read | ||||
|       # actions: read | ||||
| 
 | ||||
|     steps: | ||||
|       - name: "Checkout code" | ||||
|         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | ||||
|         with: | ||||
|           persist-credentials: false | ||||
| 
 | ||||
|       - name: "Run analysis" | ||||
|         uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 | ||||
|         with: | ||||
|           results_file: results.sarif | ||||
|           results_format: sarif | ||||
|           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: | ||||
|           # - you want to enable the Branch-Protection check on a *public* repository, or | ||||
|           # - you are installing Scorecard on a *private* repository | ||||
|           # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. | ||||
|           # repo_token: ${{ secrets.SCORECARD_TOKEN }} | ||||
| 
 | ||||
|           # Public repositories: | ||||
|           #   - Publish results to OpenSSF REST API for easy access by consumers | ||||
|           #   - Allows the repository to include the Scorecard badge. | ||||
|           #   - See https://github.com/ossf/scorecard-action#publishing-results. | ||||
|           # For private repositories: | ||||
|           #   - `publish_results` will always be set to `false`, regardless | ||||
|           #     of the value entered here. | ||||
|           publish_results: true | ||||
| 
 | ||||
|           # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore | ||||
|           # file_mode: git | ||||
| 
 | ||||
|       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||||
|       # format to the repository Actions tab. | ||||
|       - name: "Upload artifact" | ||||
|         uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 | ||||
|         with: | ||||
|           name: SARIF file | ||||
|           path: results.sarif | ||||
|           retention-days: 5 | ||||
| 
 | ||||
|       # Upload the results to GitHub's code scanning dashboard (optional). | ||||
|       # Commenting out will disable upload of results to your repo's Code Scanning dashboard | ||||
|       - name: "Upload to code-scanning" | ||||
|         uses: github/codeql-action/upload-sarif@v3 | ||||
|         with: | ||||
|           sarif_file: results.sarif | ||||
| @ -14,6 +14,7 @@ | ||||
| <p align="center">Caddy is an extensible server platform that uses TLS by default.</p> | ||||
| <p align="center"> | ||||
| 	<a href="https://github.com/caddyserver/caddy/actions/workflows/ci.yml"><img src="https://github.com/caddyserver/caddy/actions/workflows/ci.yml/badge.svg"></a> | ||||
| 	<a href="https://www.bestpractices.dev/projects/7141"><img src="https://www.bestpractices.dev/projects/7141/badge"></a> | ||||
| 	<a href="https://pkg.go.dev/github.com/caddyserver/caddy/v2"><img src="https://img.shields.io/badge/godoc-reference-%23007d9c.svg"></a> | ||||
| 	<br> | ||||
| 	<a href="https://x.com/caddyserver" title="@caddyserver on Twitter"><img src="https://img.shields.io/twitter/follow/caddyserver" alt="@caddyserver on Twitter"></a> | ||||
|  | ||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user