buildless · sgammon · Dec 4, 2023 · Dec 1, 2023 · Dec 1, 2023 · Dec 1, 2023
@@ -14,21 +14,21 @@ appearance, race, religion, or sexual identity and orientation.
 Examples of behavior that contributes to creating a positive environment
 include:
 
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Gracefully accepting constructive criticism
+- Focusing on what is best for the community
+- Showing empathy towards other community members
 
 Examples of unacceptable behavior by participants include:
 
-* The use of sexualized language or imagery and unwelcome sexual attention or
+- The use of sexualized language or imagery and unwelcome sexual attention or
   advances
-* Trolling, insulting/derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or electronic
+- Trolling, insulting/derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or electronic
   address, without explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
+- Other conduct which could reasonably be considered inappropriate in a
   professional setting
 
 ## Our Responsibilities
@@ -48,14 +48,14 @@ threatening, offensive, or harmful.
 This Code of Conduct applies within all project spaces, and it also applies when
 an individual is representing the project or its community in public spaces.
 Examples of representing a project or community include using an official
-project e-mail address, posting via an official social media account, or acting
+project email address, posting via an official social media account, or acting
 as an appointed representative at an online or offline event. Representation of
 a project may be further defined and clarified by project maintainers.
 
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the project team at benasher44@gmail.com. All
+reported by contacting the project team at apps at elide dot cloud. All
 complaints will be reviewed and investigated and will result in a response that
 is deemed necessary and appropriate to the circumstances. The project team is
 obligated to maintain confidentiality with regard to the reporter of an incident.
@@ -68,9 +68,10 @@ members of the project's leadership.
 ## Attribution
 
 This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
-available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+available at [here][covenant].
 
-[homepage]: https://www.contributor-covenant.org
+For answers to common questions about this code of conduct, see the [FAQ][faq].
 
-For answers to common questions about this code of conduct, see
-https://www.contributor-covenant.org/faq
+[homepage]: https://www.contributor-covenant.org
+[covenant]: https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+[faq]: https://www.contributor-covenant.org/faq
@@ -1,4 +1,4 @@
 
 ## Security Policy
 
-Please report all security issues to our [central project](https://github.com/elide-dev/elide). Also, see our [Security Policy](https://github.com/elide-dev/elide/security/policy) which is hosted in that repo.
+Please report all security issues to our [central project](https://github.com/elide-dev/elide). Also, see our [Security Policy](https://github.com/elide-dev/elide/security/policy) which is hosted in that repository.
@@ -0,0 +1,9 @@
+self-hosted-runner:
+  labels:
+    - macos-13-xlarge
+
+config-variables:
+  - DEFAULT_RUNNER
+  - JOB_NAME
+  - ENVIRONMENT_STAGE
+
@@ -1,12 +1,11 @@
-name: CodeQL
+name: "Check: CodeQL"
 
 on:
+  workflow_dispatch: {}
+  workflow_call: {}
   push:
     branches:
       - main
-  pull_request:
-    branches:
-      - main
   schedule:
     - cron: '31 7 * * 3'
 
@@ -32,28 +31,24 @@ jobs:
           - TypeScript
 
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
-      - name: Checkout
+      - name: "Setup: Checkout"
         id: checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
-      - name: Initialize CodeQL
+      - name: "Setup: Initialize CodeQL"
         id: initialize
         uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
         with:
           languages: ${{ matrix.language }}
           source-root: src
-
-      - name: Autobuild
+      - name: "Build: Autobuild"
         id: autobuild
         continue-on-error: true
         uses: github/codeql-action/autobuild@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
-
-      - name: Perform CodeQL Analysis
+      - name: "Check: Perform CodeQL Analysis"
         id: analyze
         continue-on-error: true
         uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
@@ -1,4 +1,4 @@
-name: Check Dist
+name: "Check: Distribution"
 
 on:
   workflow_dispatch: {}
@@ -17,34 +17,28 @@ jobs:
       statuses: write
 
     steps:
-      - name: Harden Runner
+      - name: "Setup: Harden Runner"
         uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: audit
-
       - name: "Setup: Checkout"
         id: checkout
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-
       - name: "Setup: PNPM"
         uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v2.4.0
         with:
           version: 8.9.0
-
       - name: "Setup: Node"
         uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: 20
           cache: pnpm
-
       - name: "Setup: Install Dependencies"
         id: install
         run: pnpm install && pnpm install -g turbo
-
       - name: "Build: Bundle"
         id: build
         run: turbo build --token ${{ secrets.BUILDLESS_APIKEY }} --no-daemon --remote-only
-
       - name: "Check: Compare Expected and Actual Directories"
         id: diff
         run: |
@@ -53,7 +47,6 @@ jobs:
             git diff --ignore-space-at-eol --text dist/
             exit 1
           fi
-
       - name: "Build: Upload Artifact"
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}

@@ -0,0 +1,48 @@
+name: "Check: Scorecard"
+on:
+  branch_protection_rule: {}
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches: ["main"]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: "Check: Scorecard"
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        with:
+          persist-credentials: false
+      - name: "Check: Scorecard Analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: "Artifacts: Analysis SARIF"
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: "Artifacts: GitHub Advanced Security"
+        uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3
+        with:
+          sarif_file: results.sarif