Skip to content

Commit

Permalink
Create OSSF scorecard job (external-secrets#3032)
Browse files Browse the repository at this point in the history 
* Create scorecard.yml

Adds a scorecard workflow to regularly check the repo.
See docs: https://github.com/marketplace/actions/ossf-scorecard-action#scorecard-badge

Signed-off-by: Moritz Johner <moolen@users.noreply.github.com>
  • Loading branch information
@moolen @sourav977
moolen authored and sourav977 committed Feb 6, 2024
1 parent 7cbe484 commit 93ddef8
Show file tree
Hide file tree
Showing 29 changed files with 247 additions and 121 deletions.
29 changes: 19 additions & 10 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,32 +15,41 @@ env:
# Sonar
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

permissions:
contents: read

jobs:
detect-noop:
permissions:
actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
contents: read # for fkirc/skip-duplicate-actions to read and compare commits
runs-on: ubuntu-latest
outputs:
noop: ${{ steps.noop.outputs.should_skip }}
steps:
- name: Detect No-op Changes
id: noop
uses: fkirc/skip-duplicate-actions@v5.3.1
uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
paths_ignore: '["**.md", "**.png", "**.jpg"]'
do_not_skip: '["workflow_dispatch", "schedule", "push"]'
concurrent_skipping: false

lint:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
runs-on: ubuntu-latest
needs: detect-noop
if: needs.detect-noop.outputs.noop != 'true' && github.ref != 'refs/heads/main'

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
id: setup-go
with:
go-version-file: "go.mod"
Expand All @@ -50,7 +59,7 @@ jobs:
run: go mod download

- name: Lint
uses: golangci/golangci-lint-action@v3
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: ${{ env.GOLANGCI_VERSION }}
skip-pkg-cache: true
Expand All @@ -63,10 +72,10 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
id: setup-go
with:
go-version-file: "go.mod"
Expand All @@ -91,13 +100,13 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Fetch History
run: git fetch --prune --unshallow

- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
id: setup-go
with:
go-version-file: "go.mod"
Expand All @@ -107,7 +116,7 @@ jobs:
run: go mod download

- name: Cache envtest binaries
uses: actions/cache@v3
uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
with:
path: bin/k8s
key: ${{ runner.os }}-envtest-${{env.KUBERNETES_VERSION}}
Expand All @@ -117,7 +126,7 @@ jobs:
make test
- name: Publish Unit Test Coverage
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
flags: unittests
file: ./cover.out
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/dlc.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,20 +6,23 @@ on:
- "go.mod"
workflow_dispatch: {}

permissions:
contents: read

jobs:
fossa-scan:
runs-on: ubuntu-latest
steps:
- name: "Checkout Code"
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: "Run FOSSA Scan"
uses: fossas/fossa-action@main
uses: fossas/fossa-action@45d0cd825dcbe195c58a83662b0abb684ca739d8 # main
with:
api-key: ${{secrets.FOSSA_API_KEY}}

- name: "Run FOSSA Test"
uses: fossas/fossa-action@main
uses: fossas/fossa-action@45d0cd825dcbe195c58a83662b0abb684ca739d8 # main
with:
api-key: ${{secrets.FOSSA_API_KEY}}
run-tests: true
9 changes: 7 additions & 2 deletions .github/workflows/docs.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,16 +6,21 @@ on:
- main
- release-*

permissions:
contents: read

jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

- name: Setup Go
uses: actions/setup-go@v5
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: "go.mod"

Expand Down
10 changes: 6 additions & 4 deletions .github/workflows/e2e-managed.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,6 @@ on:
types: [ok-to-test-managed-command]

permissions:
id-token: write
checks: write
contents: read

env:
Expand Down Expand Up @@ -56,13 +54,17 @@ name: managed e2e tests
jobs:
run-e2e-managed:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'repository_dispatch'

steps:

# Check out merge commit
- name: Fork based /ok-to-test-managed checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: 'refs/pull/${{ env.GITHUB_PR_NUMBER }}/merge'

Expand All @@ -72,7 +74,7 @@ jobs:
- uses: ./.github/actions/e2e-managed

# set status=completed
- uses: actions/github-script@v7
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: ${{ always() }}
env:
number: ${{ env.GITHUB_PR_NUMBER }}
Expand Down
16 changes: 11 additions & 5 deletions .github/workflows/e2e.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,6 @@ on:
types: [ok-to-test-command]

permissions:
id-token: write
checks: write
contents: read

name: e2e tests
Expand Down Expand Up @@ -52,11 +50,15 @@ jobs:

integration-trusted:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && github.actor !='dependabot[bot]'
steps:

- name: Branch based PR checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Fetch History
run: git fetch --prune --unshallow
Expand All @@ -66,12 +68,16 @@ jobs:
# Repo owner has commented /ok-to-test on a (fork-based) pull request
integration-fork:
runs-on: ubuntu-latest
permissions:
id-token: write
checks: write
contents: read
if: github.event_name == 'repository_dispatch'
steps:

# Check out merge commit
- name: Fork based /ok-to-test checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'

Expand All @@ -81,7 +87,7 @@ jobs:
- uses: ./.github/actions/e2e

# Update check run called "integration-fork"
- uses: actions/github-script@v7
- uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: update-check-run
if: ${{ always() }}
env:
Expand Down
29 changes: 21 additions & 8 deletions .github/workflows/helm.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,29 +14,32 @@ on:
- 'deploy/crds'
workflow_dispatch: {}

permissions:
contents: read

jobs:
lint-and-test:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

- name: Generate chart
run: |
make helm.generate
- name: Set up Helm
uses: azure/setup-helm@v3.5
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5
with:
version: v3.4.2

- uses: actions/setup-python@v5.0.0
- uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.7

- name: Set up chart-testing
uses: helm/chart-testing-action@v2.6.1
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1

- name: Run chart-testing (list-changed)
id: list-changed
Expand All @@ -53,7 +56,7 @@ jobs:
run: ct lint --config=.github/ci/ct.yaml

- name: Create kind cluster
uses: helm/kind-action@v1.8.0
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # v1.8.0
if: steps.list-changed.outputs.changed == 'true'

- name: Run chart-testing (install)
Expand All @@ -65,10 +68,12 @@ jobs:
run: make helm.test

release:
permissions:
contents: write # for helm/chart-releaser-action to push chart release and create a release
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

Expand All @@ -77,19 +82,27 @@ jobs:
git config user.name "$GITHUB_ACTOR"
git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Set up Helm
uses: azure/setup-helm@v3.4
uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82 # v3.4
with:
version: v3.4.2

- name: Generate chart
run: |
make helm.generate
- name: Import GPG key
run: |
echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
echo "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
- name: Run chart-releaser
uses: helm/chart-releaser-action@v1.6.0
uses: helm/chart-releaser-action@a917fd15b20e8b64b94d9158ad54cd6345335584 # v1.6.0
if: |
github.ref == 'refs/heads/main' ||
startsWith(github.ref, 'refs/heads/release-')
env:
CR_KEY: external-secrets <external-secrets@external-secrets.io>
CR_KEYRING: keyring.gpg
CR_PASSPHRASE_FILE: passphrase-file.txt
CR_SIGN: true
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
CR_RELEASE_NAME_TEMPLATE: "helm-chart-{{ .Version }}"
with:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/ok-to-test-managed.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@ on:
issue_comment:
types: [created]

permissions:
contents: read

jobs:
ok-to-test-managed:
permissions:
pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction
runs-on: ubuntu-latest
# Only run for PRs, not issue comments
if: ${{ github.event.issue.pull_request }}
Expand All @@ -17,13 +22,13 @@ jobs:
# See app.yml for an example app manifest
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v2
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}

- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v3
uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2
env:
TOKEN: ${{ steps.generate_token.outputs.token }}
with:
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/ok-to-test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,8 +5,13 @@ on:
issue_comment:
types: [created]

permissions:
contents: read

jobs:
ok-to-test:
permissions:
pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction
runs-on: ubuntu-latest
# Only run for PRs, not issue comments
if: ${{ github.event.issue.pull_request }}
Expand All @@ -17,13 +22,13 @@ jobs:
# See app.yml for an example app manifest
- name: Generate token
id: generate_token
uses: tibdex/github-app-token@v2
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.PRIVATE_KEY }}

- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v3
uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2
with:
token: ${{ steps.generate_token.outputs.token }}
reaction-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down

0 comments on commit 93ddef8

Please sign in to comment.