-
Notifications
You must be signed in to change notification settings - Fork 71
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 (#313) * 🌱 Bump github.com/ossf/scorecard/v4 from 4.2.0 to 4.3.0 Bumps [github.com/ossf/scorecard/v4](https://github.com/ossf/scorecard) from 4.2.0 to 4.3.0. - [Release notes](https://github.com/ossf/scorecard/releases) - [Changelog](https://github.com/ossf/scorecard/blob/main/.goreleaser.yml) - [Commits](ossf/scorecard@v4.2.0...v4.3.0) --- updated-dependencies: - dependency-name: github.com/ossf/scorecard/v4 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * options: Restore logic for publishing results Signed-off-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> * 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 (#311) * 🌱 Bump github/codeql-action from 2.1.10 to 2.1.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.10 to 2.1.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@2f58583...a3a6c12) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Fix version comments Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> * 📖 docs/e2e: Add information about golang-staging branch tests (#170) Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> * 🌱 .github: Add dependency review action (#165) Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> * Update README.md (#319) * 🌱 Bump github.com/caarlos0/env/v6 from 6.9.2 to 6.9.3 Bumps [github.com/caarlos0/env/v6](https://github.com/caarlos0/env) from 6.9.2 to 6.9.3. - [Release notes](https://github.com/caarlos0/env/releases) - [Changelog](https://github.com/caarlos0/env/blob/main/.goreleaser.yml) - [Commits](caarlos0/env@v6.9.2...v6.9.3) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump debian from `fbaacd5` to `06a93cb` Bumps debian from `fbaacd5` to `06a93cb`. --- updated-dependencies: - dependency-name: debian dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * 🌱 Bump actions/setup-go from 3.1.0 to 3.2.0 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3.1.0 to 3.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@fcdc436...b22fbbc) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * ✨ Bump container hash to use scorecard v4.3.1 (#324) * Update Dockerfile * Update Dockerfile * Update README.md (#325) * Update Scorecard API usage * Add documentation for e2e tests Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Stephen Augustus <foo@auggie.dev> Co-authored-by: Stephen Augustus (he/him) <justaugustus@users.noreply.github.com> Co-authored-by: Naveen <172697+naveensrinivasan@users.noreply.github.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Co-authored-by: Azeem Shaikh <azeems@google.com>
- Loading branch information
1 parent
f4b110b
commit f555ac7
Showing
18 changed files
with
440 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Copyright 2022 OpenSSF Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
# | ||
# SPDX-License-Identifier: Apache-2.0 | ||
|
||
# Dependency Review Action | ||
# | ||
# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. | ||
# | ||
# Source repository: https://github.com/actions/dependency-review-action | ||
# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement | ||
name: 'Dependency Review' | ||
on: [pull_request] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
dependency-review: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813 | ||
with: | ||
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
|
||
- name: 'Checkout Repository' | ||
uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28 | ||
- name: 'Dependency Review' | ||
uses: actions/dependency-review-action@310e0dd64f63b1d00101ecd3225d605a74261fb7 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Copyright 2021 Security Scorecard Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
# Testing: docker run -e GITHUB_REF=refs/heads/main \ | ||
# -e GITHUB_EVENT_NAME=branch_protection_rule \ | ||
# -e INPUT_RESULTS_FORMAT=sarif \ | ||
# -e INPUT_RESULTS_FILE=results.sarif \ | ||
# -e GITHUB_WORKSPACE=/ \ | ||
# -e INPUT_POLICY_FILE="/policy.yml" \ | ||
# -e INPUT_REPO_TOKEN=$GITHUB_AUTH_TOKEN \ | ||
# -e GITHUB_REPOSITORY="ossf/scorecard" \ | ||
# laurentsimon/scorecard-action:latest | ||
|
||
#v1.17 go | ||
FROM golang@sha256:bd9823cdad5700fb4abe983854488749421d5b4fc84154c30dae474100468b85 AS base | ||
WORKDIR /src | ||
ENV CGO_ENABLED=0 | ||
COPY go.* ./ | ||
RUN go mod download | ||
COPY . ./ | ||
|
||
FROM base AS build | ||
ARG TARGETOS | ||
ARG TARGETARCH | ||
RUN CGO_ENABLED=0 make build | ||
|
||
# TODO: use distroless: | ||
# FROM gcr.io/distroless/base:nonroot@sha256:02f667185ccf78dbaaf79376b6904aea6d832638e1314387c2c2932f217ac5cb | ||
FROM debian:11.3-slim@sha256:78fd65998de7a59a001d792fe2d3a6d2ea25b6f3f068e5c84881250373577414 | ||
|
||
RUN apt-get update && \ | ||
apt-get install -y --no-install-recommends \ | ||
# For debugging. | ||
jq ca-certificates curl | ||
COPY --from=build /src/scorecard-action / | ||
|
||
# Copy a test policy for local testing. | ||
COPY policies/template.yml /policy.yml | ||
|
||
ENTRYPOINT [ "/scorecard-action" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
# Copyright 2021 Security Scorecard Authors | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the "License"); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an "AS IS" BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
|
||
steps: | ||
- name: 'gcr.io/cloud-builders/docker' | ||
args: ['build', '.', | ||
'-t', 'gcr.io/openssf/scorecard-action:latest', | ||
'-t', 'gcr.io/openssf/scorecard-action:$COMMIT_SHA', | ||
'-f', 'Dockerfile.golang'] | ||
images: ['gcr.io/openssf/scorecard-action'] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,21 +1,70 @@ | ||
# What | ||
|
||
e2e Scorecard action tests for differences in functionality between Scorecard | ||
action implemented in Bash and the updated version implemented using Golang. | ||
These e2e tests will be used until the release of Scorecard Golang action after | ||
which these tests will be modified to run regular e2e testing. | ||
|
||
# Setup | ||
|
||
For testing functionality difference between the 2 implementations, we need a | ||
setup which can invoke these implementations through a GitHub Action on the same | ||
repo/commitSHA. We achieve this by: | ||
|
||
1. The 2 implementations are built using 2 separate Dockerfiles. `./Dockerfile` | ||
for Bash and `./Dockerfile.golang` for Golang. | ||
2. A CloudBuild trigger uses `./cloudbuild.yaml` to continuously build and | ||
generate the Golang Docker image. This also helps reduce run time during the | ||
actual GitHub Action run. The generated Docker image is tagged | ||
`scorecard-action:latest`. | ||
3. Bash implementation at `HEAD` is invoked by referencing: `uses: | ||
ossf/scorecard-action@main` in a GitHub workflow file. | ||
4. The same repository invokes Golang implementation by referencing: `uses: | ||
gcr.io/openssf/scorecard-action:latest` | ||
5. The artifact (SARIF file) produced by these 2 implementations are diff-ed to | ||
verify functional similarity. This step is not yet automated and is largely | ||
manual. | ||
|
||
# e2e tests | ||
|
||
The `e2e` tests for the action is run by running the action every day on a cron for different use cases. The action that run points to `@main` which helps in catching issues sooner. | ||
The `e2e` tests for the action is run by running the action every day on a cron | ||
for different use cases. The action that run points to `@main` which helps in | ||
catching issues sooner. | ||
|
||
If these actions fails to run these actions would create an issue in the repository using https://github.com/naveensrinivasan/Create-GitHub-Issue | ||
If these actions fails to run these actions would create an issue in the | ||
repository using https://github.com/naveensrinivasan/Create-GitHub-Issue | ||
|
||
The actions primarily run out of https://github.com/ossf-tests organization. | ||
|
||
## Status | ||
|
||
| Testcase | Repository | Status. | | ||
| -------- | -------- | -------- | | ||
| Fork | https://github.com/ossf-tests/scorecard-action | [![Fork](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml) | | ||
| Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![non-main-branch](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml/badge.svg?branch=other)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml) | | ||
|Private repository|https://github.com/test-organization-ls/scorecard-action-private-repo-tests| [![Scorecards supply-chain security](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml) | | ||
Testcase | Repository | Status. | ||
------------------ | --------------------------------------------------------------------------- | ------- | ||
Fork | https://github.com/ossf-tests/scorecard-action | [![Fork](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards.yml) | ||
Non-main-branch | https://github.com/ossf-tests/scorecard-action-non-main-branch | [![non-main-branch](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml/badge.svg?branch=other)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-analysis.yml) | ||
Private repository | https://github.com/test-organization-ls/scorecard-action-private-repo-tests | [![Scorecards supply-chain security](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecard.yml) | ||
|
||
| Fork-golang-staging | https://github.com/ossf-tests/scorecard-action | ||
|[![Scorecards supply-chain security](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action/actions/workflows/scorecards-golang.yml) | ||
| Non-main-branch-golang-staging | | ||
https://github.com/ossf-tests/scorecard-action-non-main-branch | | ||
[![Scorecards supply-chain security golang](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml/badge.svg)](https://github.com/ossf-tests/scorecard-action-non-main-branch/actions/workflows/scorecard-golang.yml) | ||
|Private | ||
repository-golang-staging|https://github.com/test-organization-ls/scorecard-action-private-repo-tests|[![Scorecards supply-chain security golang](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml/badge.svg)](https://github.com/test-organization-ls/scorecard-action-private-repo-tests/actions/workflows/scorecards-golang.yml) | ||
|
||
## Diff between golang-staging branch and main | ||
|
||
- Here is the sarif results diff between main and golang-staging. There are | ||
few text diffs | ||
https://github.com/ossf-tests/scorecard-action-results/pull/1/files. The PR | ||
is for golang run results. The `main` branch has the `scorecard-action` | ||
`main` branch run results. | ||
|
||
## Steps to add a new test case | ||
|
||
1. Create a new repository in the `ossf-tests` organization | ||
2. Clone this workflow https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml which has the steps to create an issue if the action fails to run. If the action fails it should create an issue like this https://github.com/ossf/scorecard-action/issues/147 | ||
1. Create a new repository in the `ossf-tests` organization | ||
2. Clone this workflow | ||
https://github.com/ossf-tests/scorecard-action-non-main-branch/blob/other/.github/workflows/scorecard-analysis.yml | ||
which has the steps to create an issue if the action fails to run. If the | ||
action fails it should create an issue like this | ||
https://github.com/ossf/scorecard-action/issues/147 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.