diff --git a/.github/workflows/grype.yml b/.github/workflows/container-scan.yml similarity index 100% rename from .github/workflows/grype.yml rename to .github/workflows/container-scan.yml diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 428d6a3..e467187 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -60,7 +60,7 @@ jobs: uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # ratchet:docker/build-push-action@v7 with: context: . - platforms: linux/amd64,linux/arm64 + platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }} push: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} @@ -83,6 +83,6 @@ jobs: contents: read security-events: write if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' - uses: ./.github/workflows/grype.yml + uses: ./.github/workflows/container-scan.yml with: image: ghcr.io/${{ github.repository }}@${{ needs.build-and-push.outputs.digest }} diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..1371a7f --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '22 10 * * 6' + push: + branches: ["main"] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # ratchet:ossf/scorecard-action@v2 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # ratchet:github/codeql-action/upload-sarif@v4 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 8ec49cf..ea25296 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,6 @@ [![CI](https://github.com/coopernetes/git-proxy-java/actions/workflows/ci.yml/badge.svg)](https://github.com/coopernetes/git-proxy-java/actions/workflows/ci.yml) [![CVE Scanning](https://github.com/coopernetes/git-proxy-java/actions/workflows/cve.yml/badge.svg)](https://github.com/coopernetes/git-proxy-java/actions/workflows/cve.yml) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/coopernetes/git-proxy-java/badge)](https://scorecard.dev/viewer/?uri=github.com/coopernetes/git-proxy-java) [![License](https://img.shields.io/github/license/coopernetes/git-proxy-java)](https://github.com/coopernetes/git-proxy-java/blob/main/LICENSE) # git-proxy-java