Reusable workflows (#256)

* Migrate linter to reusable workflows * Migrate stale to reusable workflows * Migrate license to reusable workflow * Migrate analysis to reusable workflows codeql-analysis.yml -> analysis.yml Rename workflow CodeQL to Analysis Add Scorecards supply-chain security analysis Add dependency review pin dependencies Using reusable dependency review Call reusable dependency review workflow without args * Migrate builder to reusable workflows * Migrate release to reusable workflows * Use harden runner for testing workflow * Use harden runner for dispatch workflow * Migrate snapcraft to reusable workflows * Use harden runner for docker workflow * Remove dispatch job from docker workflow * Add allowed endpoints * Add allow endpoint * Remove upload artifacts job * Move write permission to job level
wabarc · Dec 3, 2022 · 6c6bf79 · 6c6bf79
1 parent fe0149c
commit 6c6bf79
Show file tree

Hide file tree

Showing 11 changed files with 481 additions and 1,187 deletions.
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -0,0 +1,68 @@
+# Copyright 2020 Wayback Archiver. All rights reserved.
+# Use of this source code is governed by the GNU GPL v3
+# license that can be found in the LICENSE file.
+
+name: "Analysis"
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '33 23 * * 4'
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards
+    uses: wabarc/.github/.github/workflows/reusable-scorecards.yml@main
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Used to receive a badge. (Upcoming feature)
+      id-token: write
+      actions: read
+      contents: read
+
+  codeql:
+    name: CodeQL
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
+        # Learn more:
+        # https://docs.github.com/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
+    uses: wabarc/.github/.github/workflows/reusable-codeql.yml@main
+    with:
+      language: ${{ matrix.language }}
+      config-file: './.github/codeql/codeql-config.yml'
+
+  nancy:
+    name: Sonatype Nancy
+    uses: wabarc/.github/.github/workflows/reusable-nancy.yml@main
+
+  semgrep:
+    name: Semgrep Scan
+    if: github.actor != 'dependabot[bot]'
+    uses: wabarc/.github/.github/workflows/reusable-semgrep.yml@main
+
+  fossa:
+    if: github.repository == 'wabarc/wayback'
+    name: FOSSA
+    uses: wabarc/.github/.github/workflows/reusable-fossa.yml@main
+    secrets:
+      fossa-apikey: ${{ secrets.FOSSA_APIKEY }}
+
+  dependency-review:
+    name: Dependency Review
+    uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main