From 12d3c6644e0825c1214af496410a5b943ec2241f Mon Sep 17 00:00:00 2001 From: StepSecurity Bot Date: Tue, 16 Apr 2024 13:18:23 +0000 Subject: [PATCH 1/6] [StepSecurity] Apply security best practices Signed-off-by: StepSecurity Bot --- .github/workflows/auto_update.yml | 15 +++--- .github/workflows/build_and_test.yml | 55 ++++++++++--------- .github/workflows/check_dependabot.yml | 4 +- .github/workflows/cifuzz.yml | 9 ++-- .github/workflows/codeql.yml | 9 ++-- .github/workflows/dependency-review.yml | 22 ++++++++ .github/workflows/package.yml | 38 ++++++------- .github/workflows/scorecards.yml | 71 +++++++++++++++++++++++++ 8 files changed, 164 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/auto_update.yml b/.github/workflows/auto_update.yml index ca6dd18984..b83f1a6125 100644 --- a/.github/workflows/auto_update.yml +++ b/.github/workflows/auto_update.yml @@ -4,17 +4,20 @@ on: schedule: - cron: '10 10 15 * *' +permissions: + contents: read + jobs: precommit-update: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: dev - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8.x" - name: Run update @@ -22,7 +25,7 @@ jobs: pip install pre-commit pre-commit autoupdate - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 with: token: ${{ secrets.PAT }} author: GitHub @@ -43,11 +46,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: dev - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.9.x" - name: Run update @@ -55,7 +58,7 @@ jobs: python3 3rdParty/OUIDataset/create_oui_data.py mv -f PCPP_OUIDataset.json 3rdParty/OUIDataset/PCPP_OUIDataset.json - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 + uses: peter-evans/create-pull-request@c55203cfde3e5c11a452d352b4393e68b85b4533 # v6.0.3 with: token: ${{ secrets.PAT }} author: GitHub diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml index 2909dbf688..767e9907c5 100644 --- a/.github/workflows/build_and_test.yml +++ b/.github/workflows/build_and_test.yml @@ -9,13 +9,16 @@ env: BUILD_DIR: Dist GCOVR_FLAGS: --gcov-ignore-parse-errors --exclude-throw-branches --filter Common --filter Pcap --filter Packet --xml +permissions: + contents: read + jobs: pre-commit: runs-on: ubuntu-latest container: seladb/alpine317 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Checkout is performed out of the container and doesn't match our user - name: Fix checkout ownership @@ -26,7 +29,7 @@ jobs: apk update && apk add cppcheck python3-dev python3 -m pip install cmake-format - - uses: pre-commit/action@v3.0.1 + - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - name: CMake format run: | @@ -73,7 +76,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Checkout is performed out of the container and doesn't match our user - name: Fix checkout ownership @@ -124,7 +127,7 @@ jobs: gcovr -v -r . ${{ matrix.additional-gcov-flags }} $GCOVR_FLAGS -o coverage.xml - name: Upload Coverage Results - uses: codecov/codecov-action@v3.1.6 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./coverage.xml flags: ${{ matrix.image }},unittest @@ -145,7 +148,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Configure PcapPlusPlus run: cmake -DPCAPPP_USE_DPDK=ON ${{ matrix.additional-flags }} -S . -B "$BUILD_DIR" @@ -190,7 +193,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Configure PcapPlusPlus run: ${{ matrix.configure }} @@ -238,9 +241,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: # support version: https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json python-version: "3.12" @@ -298,7 +301,7 @@ jobs: gcovr -v -r . $GCOVR_FLAGS -o coverage.xml - name: Upload Coverage Results - uses: codecov/codecov-action@v3.1.6 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./coverage.xml flags: ${{ matrix.os-version }},unittest @@ -313,9 +316,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: # support version: https://raw.githubusercontent.com/actions/python-versions/main/versions-manifest.json python-version: "3.12" @@ -371,7 +374,7 @@ jobs: gcovr -v -r . $GCOVR_FLAGS -o coverage.xml - name: Upload Coverage Results - uses: codecov/codecov-action@v3.1.6 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./coverage.xml flags: ${{ matrix.os-version }},unittest @@ -390,10 +393,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup MSYS2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 with: msystem: ${{matrix.sys}} install: >- @@ -403,7 +406,7 @@ jobs: mingw-w64-${{matrix.env}}-make - name: Setup Python - uses: actions/setup-python@v5 + uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8.x" @@ -451,7 +454,7 @@ jobs: run: gcovr -v -g -k -r . $env:GCOVR_FLAGS.split() -o coverage.xml - name: Upload Coverage Results - uses: codecov/codecov-action@v3.1.6 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./coverage.xml flags: ${{ matrix.sys }},unittest @@ -482,14 +485,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - uses: actions/setup-python@v5 + - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 with: python-version: "3.8.x" - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v2 + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 - name: Setup OpenCppCoverage and add to PATH run: | @@ -539,7 +542,7 @@ jobs: python -m pytest --root-path=../../Dist/examples_bin - name: Upload Coverage Results - uses: codecov/codecov-action@v3.1.6 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./Tests/Pcap++Test/Pcap++Coverage.xml,./Tests/Packet++Test/Packet++Coverage.xml flags: ${{ matrix.os }},unittest,${{ matrix.pcap_lib }} @@ -569,10 +572,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Checkout lipbcap for Android - uses: actions/checkout@main + uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # main with: repository: seladb/libpcap-android path: ./libpcap-android @@ -586,7 +589,7 @@ jobs: run: cmake --build "$BUILD_DIR" -j - name: Checkout ToyVpn-PcapPlusPlus - uses: actions/checkout@master + uses: actions/checkout@61b9e3751b92087fd0b06925ba6dd6314e06f089 # master with: repository: seladb/ToyVpn-PcapPlusPlus path: ./ToyVpn-PcapPlusPlus @@ -617,7 +620,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Install dependencies run: | @@ -641,7 +644,7 @@ jobs: gcovr -v -r . $GCOVR_FLAGS -o coverage.xml - name: Upload Coverage Results - uses: codecov/codecov-action@v3.1.6 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3.1.6 with: files: ./coverage.xml flags: xdp,unittest @@ -659,7 +662,7 @@ jobs: container: image: gcr.io/oss-fuzz-base/base-builder steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Install prerequisites run: | apt-get update && apt-get install -y cmake autoconf flex bison diff --git a/.github/workflows/check_dependabot.yml b/.github/workflows/check_dependabot.yml index 2b7b4c77ec..ad23b65238 100644 --- a/.github/workflows/check_dependabot.yml +++ b/.github/workflows/check_dependabot.yml @@ -10,6 +10,6 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: marocchino/validate-dependabot@v2 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - uses: marocchino/validate-dependabot@0ff4b99d8d7297328dc50dc69a0796bd0607c07e # v2.2.0 id: validate diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml index 899d5768a5..71b6a9d434 100644 --- a/.github/workflows/cifuzz.yml +++ b/.github/workflows/cifuzz.yml @@ -3,6 +3,9 @@ on: pull_request: branches: ["dev"] +permissions: + contents: read + jobs: Fuzzing: runs-on: ubuntu-latest @@ -13,20 +16,20 @@ jobs: steps: - name: Build Fuzzers id: build - uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@c2c0632831767ff05c568e7b552cef2801d739ff # master with: oss-fuzz-project-name: 'pcapplusplus' dry-run: false sanitizer: ${{ matrix.sanitizer }} - name: Run Fuzzers - uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master + uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@c2c0632831767ff05c568e7b552cef2801d739ff # master with: oss-fuzz-project-name: 'pcapplusplus' fuzz-seconds: 600 dry-run: false sanitizer: ${{ matrix.sanitizer }} - name: Upload Crash - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 if: failure() && steps.build.outcome == 'success' with: name: artifacts diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 95f692b9b1..b87e1b20d9 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,6 +7,9 @@ on: schedule: - cron: '15 14 * * 1' +permissions: + contents: read + jobs: analyze: name: Analyze @@ -22,11 +25,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -41,4 +44,4 @@ jobs: cmake --build build -j - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@df5a14dc28094dc936e103b37d749c6628682b60 # v3.25.0 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000000..a52521621b --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 1b1a5b762f..156e8d8928 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -37,7 +37,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Checkout is performed out of the container and doesn't match our user - name: Fix checkout ownership @@ -63,7 +63,7 @@ jobs: - name: Upload binaries to release if: github.ref_type == 'tag' - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true allowUpdates: true @@ -79,10 +79,10 @@ jobs: - freebsd-version: "14.0" steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Test in FreeBSD - uses: vmactions/freebsd-vm@v1 + uses: vmactions/freebsd-vm@f8be330398166d1eb0601f01353839d4052367b2 # v1.0.7 with: release: ${{ matrix.freebsd-version }} envs: 'BUILD_DIR' @@ -96,7 +96,7 @@ jobs: - name: Upload binaries to release if: github.ref_type == 'tag' - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true allowUpdates: true @@ -111,12 +111,12 @@ jobs: arch: [x86_64, arm64] steps: - - uses: maxim-lobanov/setup-xcode@v1 + - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0 with: xcode-version: "${{ matrix.xcode-version }}" - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Configure PcapPlusPlus run: | @@ -130,7 +130,7 @@ jobs: - name: Upload binaries to release if: github.ref_type == 'tag' - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true allowUpdates: true @@ -149,10 +149,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Setup MSYS2 - uses: msys2/setup-msys2@v2 + uses: msys2/setup-msys2@cc11e9188b693c2b100158c3322424c4cc1dadea # v2.22.0 with: msystem: ${{matrix.sys}} update: true @@ -191,7 +191,7 @@ jobs: - name: Upload binaries to release if: github.ref_type == 'tag' - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true allowUpdates: true @@ -208,10 +208,10 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Add MSBuild to PATH - uses: microsoft/setup-msbuild@v2 + uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0 - name: Install WinPcap run: | @@ -231,7 +231,7 @@ jobs: - name: Upload binaries to release if: github.ref_type == 'tag' - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true allowUpdates: true @@ -255,10 +255,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Checkout lipbcap for Android - uses: actions/checkout@main + uses: actions/checkout@cd7d8d697e10461458bc61a30d094dc601a8b017 # main with: repository: seladb/libpcap-android path: ./libpcap-android @@ -288,7 +288,7 @@ jobs: mkdir -p "android-package" mv "${COMBINED_PACKAGE_DIR}" "android-package" - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 with: path: android-package name: android-package-${{ matrix.target }}-${{ matrix.api-version }} @@ -299,7 +299,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 with: pattern: android-package-* merge-multiple: true @@ -311,7 +311,7 @@ jobs: tar cvf "${PACKAGE_DIR}.tar.gz" "${PACKAGE_DIR}" - name: Upload binaries to release if: github.ref_type == 'tag' - uses: ncipollo/release-action@v1 + uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 with: draft: true allowUpdates: true diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 0000000000..95ee238ca6 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,71 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["master"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@f72882a05ba58122a44b17f2fce8fb50e5c79a59 # v2.25.0 + with: + sarif_file: results.sarif From e44b1708d04b80728d0a7c2e5d4c8c0479773c90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20=C3=87etin?= <64282645+egecetin@users.noreply.github.com> Date: Thu, 18 Apr 2024 21:02:40 +0300 Subject: [PATCH 2/6] Update scorecards.yml --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 95ee238ca6..b50b802665 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -44,7 +44,7 @@ jobs: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} + repo_token: ${{ secrets.SCORECARD_TOKEN }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From 61c3da504e3e1f892acf5ff42839c37e0a9aff9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20=C3=87etin?= Date: Tue, 23 Apr 2024 21:13:53 +0300 Subject: [PATCH 3/6] Remove dependency-review and add badge to README --- .github/workflows/dependency-review.yml | 22 ---------------------- README.md | 1 + 2 files changed, 1 insertion(+), 22 deletions(-) delete mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index a52521621b..0000000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,22 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: 'Checkout Repository' - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - - name: 'Dependency Review' - uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/README.md b/README.md index c2e144ef47..0d5a16c8a3 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,7 @@ [![Cirrus CI - Base Branch Build Status](https://img.shields.io/cirrus/github/seladb/PcapPlusPlus?label=Cirrus%20CI&logo=cirrusci&style=flat)](https://cirrus-ci.com/github/seladb/PcapPlusPlus) [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/seladb/PcapPlusPlus/codeql.yml?branch=master&label=CodeQL&logo=github&style=flat)](https://github.com/seladb/PcapPlusPlus/actions?query=workflow%3A%22CodeQL%22) [![Codecov](https://img.shields.io/codecov/c/github/seladb/PcapPlusPlus?logo=codecov&logoColor=white)](https://app.codecov.io/github/seladb/PcapPlusPlus) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/seladb/PcapPlusPlus/badge)](https://scorecard.dev/viewer/?uri=github.com/seladb/PcapPlusPlus) [![GitHub contributors](https://img.shields.io/github/contributors/seladb/PcapPlusPlus?style=flat&label=Contributors&logo=github)](https://github.com/seladb/PcapPlusPlus/graphs/contributors)
[![Twitter Follow](https://img.shields.io/badge/follow-%40seladb-1DA1F2?logo=twitter&style=social)](https://twitter.com/intent/follow?screen_name=seladb) From 7f5a97088dea7be45335118428706e0ed2a0b9df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20=C3=87etin?= <64282645+egecetin@users.noreply.github.com> Date: Fri, 26 Apr 2024 11:08:09 +0300 Subject: [PATCH 4/6] point to existing PAT --- .github/workflows/scorecards.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index b50b802665..6ed3c75e7b 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -44,7 +44,7 @@ jobs: # - you want to enable the Branch-Protection check on a *public* repository, or # - you are installing Scorecards on a *private* repository # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - repo_token: ${{ secrets.SCORECARD_TOKEN }} + repo_token: ${{ secrets.PAT }} # Public repositories: # - Publish results to OpenSSF REST API for easy access by consumers From ed0b71f4df0b0fb2a026b52c85cc5f47d06a47f6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20=C3=87etin?= <64282645+egecetin@users.noreply.github.com> Date: Tue, 7 May 2024 10:31:16 +0300 Subject: [PATCH 5/6] comment out shield for now --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0d5a16c8a3..97a631188b 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ [![Cirrus CI - Base Branch Build Status](https://img.shields.io/cirrus/github/seladb/PcapPlusPlus?label=Cirrus%20CI&logo=cirrusci&style=flat)](https://cirrus-ci.com/github/seladb/PcapPlusPlus) [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/seladb/PcapPlusPlus/codeql.yml?branch=master&label=CodeQL&logo=github&style=flat)](https://github.com/seladb/PcapPlusPlus/actions?query=workflow%3A%22CodeQL%22) [![Codecov](https://img.shields.io/codecov/c/github/seladb/PcapPlusPlus?logo=codecov&logoColor=white)](https://app.codecov.io/github/seladb/PcapPlusPlus) -[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/seladb/PcapPlusPlus/badge)](https://scorecard.dev/viewer/?uri=github.com/seladb/PcapPlusPlus) + [![GitHub contributors](https://img.shields.io/github/contributors/seladb/PcapPlusPlus?style=flat&label=Contributors&logo=github)](https://github.com/seladb/PcapPlusPlus/graphs/contributors)
[![Twitter Follow](https://img.shields.io/badge/follow-%40seladb-1DA1F2?logo=twitter&style=social)](https://twitter.com/intent/follow?screen_name=seladb) From 5b2b14bab86316e13524cb4fbf793d3a93561caf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ege=20=C3=87etin?= <64282645+egecetin@users.noreply.github.com> Date: Tue, 7 May 2024 10:33:00 +0300 Subject: [PATCH 6/6] reorder --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 97a631188b..379dd8f4f1 100644 --- a/README.md +++ b/README.md @@ -7,8 +7,8 @@ [![Cirrus CI - Base Branch Build Status](https://img.shields.io/cirrus/github/seladb/PcapPlusPlus?label=Cirrus%20CI&logo=cirrusci&style=flat)](https://cirrus-ci.com/github/seladb/PcapPlusPlus) [![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/seladb/PcapPlusPlus/codeql.yml?branch=master&label=CodeQL&logo=github&style=flat)](https://github.com/seladb/PcapPlusPlus/actions?query=workflow%3A%22CodeQL%22) [![Codecov](https://img.shields.io/codecov/c/github/seladb/PcapPlusPlus?logo=codecov&logoColor=white)](https://app.codecov.io/github/seladb/PcapPlusPlus) - [![GitHub contributors](https://img.shields.io/github/contributors/seladb/PcapPlusPlus?style=flat&label=Contributors&logo=github)](https://github.com/seladb/PcapPlusPlus/graphs/contributors) +
[![Twitter Follow](https://img.shields.io/badge/follow-%40seladb-1DA1F2?logo=twitter&style=social)](https://twitter.com/intent/follow?screen_name=seladb) [![GitHub Repo stars](https://img.shields.io/github/stars/seladb/PcapPlusPlus?style=social)]()