From 7b610c260e48a86f01c0a19d03ccb39755e88b9a Mon Sep 17 00:00:00 2001 From: JulieGunawan <48563515+JulieGunawan@users.noreply.github.com> Date: Sat, 25 Nov 2023 06:39:09 -0700 Subject: [PATCH 1/4] Create scorecard.yml --- .github/workflows/scorecard.yml | 72 +++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..c3baa18eb --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '36 0 * * 1' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif From 8c0049a361974f91491a8b55d46790b8e980c44a Mon Sep 17 00:00:00 2001 From: JulieGunawan <48563515+JulieGunawan@users.noreply.github.com> Date: Sat, 25 Nov 2023 07:38:59 -0700 Subject: [PATCH 2/4] canceling the scorecard --- .github/workflows/scorecard.yml | 72 --------------------------------- 1 file changed, 72 deletions(-) delete mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml deleted file mode 100644 index c3baa18eb..000000000 --- a/.github/workflows/scorecard.yml +++ /dev/null @@ -1,72 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security -on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '36 0 * * 1' - push: - branches: [ "main" ] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read - - steps: - - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 - with: - results_file: results.sarif - results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 - with: - sarif_file: results.sarif From 7c00b7aadad59e06be4e0dc032d1a2f5d34b9dc8 Mon Sep 17 00:00:00 2001 From: JulieGunawan <48563515+JulieGunawan@users.noreply.github.com> Date: Sun, 7 Jan 2024 10:44:21 -0700 Subject: [PATCH 3/4] Create test-labeler.yml --- .github/workflows/test-labeler.yml | 39 ++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/test-labeler.yml diff --git a/.github/workflows/test-labeler.yml b/.github/workflows/test-labeler.yml new file mode 100644 index 000000000..6881d76f3 --- /dev/null +++ b/.github/workflows/test-labeler.yml @@ -0,0 +1,39 @@ +name: Issue Labeler test +on: + issues: + types: [opened] + issue_comment: + types: [created, edited, deleted] + +jobs: + labeler: + runs-on: ubuntu-latest + steps: + - uses: actions/labeler@v5 + with: + script: | + const eventType = context.eventName; + // Get a list of all issues created by the PR opener + // See: https://octokit.github.io/rest.js/#pagination + const creator = context.payload.sender.login + const opts = github.rest.issues.listForRepo.endpoint.merge({ + ...context.issue, + creator, + state: 'all' + }) + const issues = await github.paginate(opts) + + for (const issue of issues) { + if (issue.number === context.issue.number) { + continue + } + + if (issue.pull_request || issue.user.login === creator) { + return // Creator is already a contributor. + } } + await github.rest.issues.addLabels({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + labels:["new contributor"] + }); From 7c8ae5251140ab7ee8211eb85a2451fe78b33696 Mon Sep 17 00:00:00 2001 From: JulieGunawan <48563515+JulieGunawan@users.noreply.github.com> Date: Sun, 7 Jan 2024 14:47:33 -0700 Subject: [PATCH 4/4] test pr number label --- .github/workflows/test-labeler.yml | 40 +++++++++--------------------- 1 file changed, 12 insertions(+), 28 deletions(-) diff --git a/.github/workflows/test-labeler.yml b/.github/workflows/test-labeler.yml index 6881d76f3..9b2a27057 100644 --- a/.github/workflows/test-labeler.yml +++ b/.github/workflows/test-labeler.yml @@ -1,39 +1,23 @@ -name: Issue Labeler test +name: Issue and PR Labeler test on: issues: types: [opened] issue_comment: types: [created, edited, deleted] + pull_request_target: + types: [opened, edited, review_requested] + jobs: labeler: runs-on: ubuntu-latest steps: - - uses: actions/labeler@v5 + - name: Checkout code + uses: actions/checkout@v4 + - name: Label issues or comments + uses: actions/labeler@v5 with: - script: | - const eventType = context.eventName; - // Get a list of all issues created by the PR opener - // See: https://octokit.github.io/rest.js/#pagination - const creator = context.payload.sender.login - const opts = github.rest.issues.listForRepo.endpoint.merge({ - ...context.issue, - creator, - state: 'all' - }) - const issues = await github.paginate(opts) - - for (const issue of issues) { - if (issue.number === context.issue.number) { - continue - } - - if (issue.pull_request || issue.user.login === creator) { - return // Creator is already a contributor. - } } - await github.rest.issues.addLabels({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - labels:["new contributor"] - }); + pr-number: | + 1 + 2 + 3