Skip to content

Commit

Permalink
🌱 Merge azeems/golang-bug (#336) into golang-staging (#343)
Browse files Browse the repository at this point in the history
* 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 (#313)

* 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0

Bumps [github.com/ossf/scorecard/v4](https://github.com/ossf/scorecard) from 4.2.0 to 4.3.0.
- [Release notes](https://github.com/ossf/scorecard/releases)
- [Changelog](https://github.com/ossf/scorecard/blob/main/.goreleaser.yml)
- [Commits](ossf/scorecard@v4.2.0...v4.3.0)

---
updated-dependencies:
- dependency-name: github.com/ossf/scorecard/v4
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* options: Restore logic for publishing results

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>

* 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 (#311)

* 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.10 to 2.1.11.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@2f58583...a3a6c12)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* Fix version comments

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>

* 📖 docs/e2e: Add information about golang-staging branch tests (#170)

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>

* 🌱 .github: Add dependency review action (#165)

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>

* Update README.md (#319)

* 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3

Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.2 to 6.9.3.
- [Release notes](https://github.com/caarlos0/env/releases)
- [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml)
- [Commits](caarlos0/env@v6.9.2...v6.9.3)

---
updated-dependencies:
- dependency-name: github.com/caarlos0/env/v6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

* 🌱 Bump debian from `fbaacd5` to `06a93cb`

Bumps debian from `fbaacd5` to `06a93cb`.

---
updated-dependencies:
- dependency-name: debian
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* 🌱 Bump actions/setup-go from 3.1.0 to 3.2.0

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.1.0 to 3.2.0.
- [Release notes](https://github.com/actions/setup-go/releases)
- [Commits](actions/setup-go@fcdc436...b22fbbc)

---
updated-dependencies:
- dependency-name: actions/setup-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* ✨ Bump container hash to use scorecard v4.3.1 (#324)

* Update Dockerfile

* Update Dockerfile

* Update README.md (#325)

* Update Scorecard API usage

* Add documentation for e2e tests

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Stephen Augustus <foo@auggie.dev>
Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com>
Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Co-authored-by: Azeem Shaikh <azeems@google.com>
  • Loading branch information
7 people authored Jun 7, 2022
1 parent f4b110b commit f555ac7
Show file tree
Hide file tree
Showing 18 changed files with 440 additions and 98 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b # v1.1.4
uses: github/codeql-action/init@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108 # v2.1.11
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -50,7 +50,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b # v1.1.4
uses: github/codeql-action/autobuild@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108 # v2.1.11

# ℹ️ Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
Expand All @@ -64,4 +64,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@2f58583a1b24a7d3c7034f6bf9fa506d23b1183b # v1.1.4
uses: github/codeql-action/analyze@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108 # v2.1.11
41 changes: 41 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Copyright 2022 OpenSSF Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0

# Dependency Review Action
#
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging.
#
# Source repository: https://github.com/actions/dependency-review-action
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement
name: 'Dependency Review'
on: [pull_request]

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

- name: 'Checkout Repository'
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
- name: 'Dependency Review'
uses: actions/dependency-review-action@310e0dd64f63b1d00101ecd3225d605a74261fb7
2 changes: 1 addition & 1 deletion .github/workflows/golangci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 #v2.1.5
- uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 #v2.1.5
with:
go-version: '1.17.x'
- uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/tests.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 #v2.1.5
- uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 #v2.1.5
with:
go-version: '1.17.x'
- name: Run Go tests
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- uses: actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2 #v2.1.5
- uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 #v2.1.5
with:
go-version: '1.17.x'
- name: Run Go verify
Expand Down
21 changes: 4 additions & 17 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,24 +21,11 @@
# -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \
# -e GITHUB_REPOSITORY="ossf/scorecard" \
# laurentsimon/scorecard-action:latest
FROM gcr.io/openssf/scorecard:v4.3.1@sha256:06e3ddde7f63619813c5749389010b596e753fa070c524a42fd0de756f96970f as base

#v1.17 go
FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base
WORKDIR /src
ENV CGO_ENABLED=0
COPY go.* ./
RUN go mod download
COPY . ./

FROM base AS build
ARG TARGETOS
ARG TARGETARCH
RUN CGO_ENABLED=0 make build

# TODO: use distroless:
# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb
FROM debian:11.3-slim@sha256:78fd65998de7a59a001d792fe2d3a6d2ea25b6f3f068e5c84881250373577414

# Build our image and update the root certs.
# TODO: use distroless.
FROM debian:11.3-slim@sha256:06a93cbdd49a265795ef7b24fe374fee670148a7973190fb798e43b3cf7c5d0f
RUN apt-get update && \
apt-get install -y --no-install-recommends \
# For debugging.
Expand Down
51 changes: 51 additions & 0 deletions Dockerfile.golang
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# Copyright 2021 Security Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# Testing: docker run -e GITHUB_REF=refs/heads/main \
# -e GITHUB_EVENT_NAME=branch_protection_rule \
# -e INPUT_RESULTS_FORMAT=sarif \
# -e INPUT_RESULTS_FILE=results.sarif \
# -e GITHUB_WORKSPACE=/ \
# -e INPUT_POLICY_FILE="/policy.yml" \
# -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \
# -e GITHUB_REPOSITORY="ossf/scorecard" \
# laurentsimon/scorecard-action:latest

#v1.17 go
FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base
WORKDIR /src
ENV CGO_ENABLED=0
COPY go.* ./
RUN go mod download
COPY . ./

FROM base AS build
ARG TARGETOS
ARG TARGETARCH
RUN CGO_ENABLED=0 make build

# TODO: use distroless:
# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb
FROM debian:11.3-slim@sha256:78fd65998de7a59a001d792fe2d3a6d2ea25b6f3f068e5c84881250373577414

RUN apt-get update && \
apt-get install -y --no-install-recommends \
# For debugging.
jq ca-certificates curl
COPY --from=build /src/scorecard-action /

# Copy a test policy for local testing.
COPY policies/template.yml /policy.yml

ENTRYPOINT [ "/scorecard-action" ]
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ Note: if you disable this option, the results of the Scorecards Action run will

```yml
name: Scorecards supply-chain security
on:
on:
# Only the default branch is supported.
branch_protection_rule:
schedule:
Expand All @@ -168,12 +168,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@c1aec4ac820532bab364f02a81873c555a0ba3a1 # v1.0.4
uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e # v1.1.1
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -192,7 +192,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@82c141cc518b40d92cc801eee768e7aafc9c2fa2 # v2.3.1
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v3.0.0
with:
name: SARIF file
path: results.sarif
Expand Down
21 changes: 21 additions & 0 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Copyright 2021 Security Scorecard Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

steps:
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '.',
'-t', 'gcr.io/openssf/scorecard-action:latest',
'-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA',
'-f', 'Dockerfile.golang']
images: ['gcr.io/openssf/scorecard-action']
67 changes: 58 additions & 9 deletions e2e/README.md
Original file line number Diff line number Diff line change
@@ -1,21 +1,70 @@
# What

e2e Scorecard action tests for differences in functionality between Scorecard
action implemented in Bash and the updated version implemented using Golang.
These e2e tests will be used until the release of Scorecard Golang action after
which these tests will be modified to run regular e2e testing.

# Setup

For testing functionality difference between the 2 implementations, we need a
setup which can invoke these implementations through a GitHub Action on the same
repo/commitSHA. We achieve this by:

1. The 2 implementations are built using 2 separate Dockerfiles. `./Dockerfile`
for Bash and `./Dockerfile.golang` for Golang.
2. A CloudBuild trigger uses `./cloudbuild.yaml` to continuously build and
generate the Golang Docker image. This also helps reduce run time during the
actual GitHub Action run. The generated Docker image is tagged
`scorecard-action:latest`.
3. Bash implementation at `HEAD` is invoked by referencing: `uses:
ossf/scorecard-action@main` in a GitHub workflow file.
4. The same repository invokes Golang implementation by referencing: `uses:
gcr.io/openssf/scorecard-action:latest`
5. The artifact (SARIF file) produced by these 2 implementations are diff-ed to
verify functional similarity. This step is not yet automated and is largely
manual.

# e2e tests

The `e2e` tests for the action is run by running the action every day on a cron for different use cases. The action that run points to `@main` which helps in catching issues sooner.
The `e2e` tests for the action is run by running the action every day on a cron
for different use cases. The action that run points to `@main` which helps in
catching issues sooner.

If these actions fails to run these actions would create an issue in the repository using https://github.com/naveensrinivasan/Create-GitHub-Issue
If these actions fails to run these actions would create an issue in the
repository using https://github.com/naveensrinivasan/Create-GitHub-Issue

The actions primarily run out of https://github.com/ossf-tests organization.

## Status

| Testcase | Repository | Status. |
| -------- | -------- | -------- |
| Fork | https://github.com/ossf-tests/scorecard-action | [![Fork](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml) |
| Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![non-main-branch](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml/badge.svg?branch=other)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml) |
|Private repository|https://github.com/test-organization-ls/scorecard-action-private-repo-tests| [![Scorecards supply-chain security](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml) |
Testcase | Repository | Status.
------------------ | --------------------------------------------------------------------------- | -------
Fork | https://github.com/ossf-tests/scorecard-action | [![Fork](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml)
Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![non-main-branch](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml/badge.svg?branch=other)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml)
Private repository | https://github.com/test-organization-ls/scorecard-action-private-repo-tests | [![Scorecards supply-chain security](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml)

| Fork-golang-staging | https://github.com/ossf-tests/scorecard-action
|[![Scorecards supply-chain security](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml)
| Non-main-branch-golang-staging |
https://github.com/ossf-tests/scorecard-action-non-main-branch |
[![Scorecards supply-chain security golang](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml)
|Private
repository-golang-staging|https://github.com/test-organization-ls/scorecard-action-private-repo-tests|[![Scorecards supply-chain security golang](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml)

## Diff between golang-staging branch and main

- Here is the sarif results diff between main and golang-staging. There are
few text diffs
https://github.com/ossf-tests/scorecard-action-results/pull/1/files. The PR
is for golang run results. The `main` branch has the `scorecard-action`
`main` branch run results.

## Steps to add a new test case

1. Create a new repository in the `ossf-tests` organization
2. Clone this workflow https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml which has the steps to create an issue if the action fails to run. If the action fails it should create an issue like this https://github.com/ossf/scorecard-action/issues/147
1. Create a new repository in the `ossf-tests` organization
2. Clone this workflow
https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml
which has the steps to create an issue if the action fails to run. If the
action fails it should create an issue like this
https://github.com/ossf/scorecard-action/issues/147
7 changes: 7 additions & 0 deletions entrypoint/entrypoint.go
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ func New() (*cobra.Command, error) {
"path to output results to",
)

actionCmd.Flags().BoolVar(
&opts.PublishResults,
"publish",
opts.PublishResults,
"if set, results will be published (for public repositories only)",
)

// Adapt scorecard's PreRunE to support an output file
// TODO(scorecard): Move this into scorecard
var out, stdout *os.File
Expand Down
Loading

0 comments on commit f555ac7

Please sign in to comment.