From c344bf8101e0cec6d38be1b2931676e13a2a7d31 Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 18:11:27 +0100 Subject: [PATCH 1/7] :construction_worker: support for OpenSSF Scorecard --- .github/workflows/scorecard.yml | 73 +++++++++++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..dabbb62 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,73 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '45 17 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From 7924e05cd229c90f6e1707ffc5d575e40f7d064d Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 18:19:03 +0100 Subject: [PATCH 2/7] :speech_balloon: updated community health pages --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c4a03d1..f1578d2 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # Extensions for xUnit API by Codebelt -[![xUnit Ext. CI/CD Pipeline](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/xunit/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/xunit) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=alert_status)](https://sonarcloud.io/dashboard?id=xunit) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=security_rating)](https://sonarcloud.io/dashboard?id=xunit) +[![xUnit Ext. CI/CD Pipeline](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml/badge.svg)](https://github.com/codebeltnet/xunit/actions/workflows/pipelines.yml) [![codecov](https://codecov.io/gh/codebeltnet/xunit/graph/badge.svg?token=BN2UhFM3bb)](https://codecov.io/gh/codebeltnet/xunit) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=alert_status)](https://sonarcloud.io/dashboard?id=xunit) [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=reliability_rating)](https://sonarcloud.io/dashboard?id=xunit) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=xunit&metric=security_rating)](https://sonarcloud.io/dashboard?id=xunit) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codebeltnet/xunit/badge)](https://scorecard.dev/viewer/?uri=github.com/codebeltnet/xunit) An open-source project (MIT license) that targets and complements the [xUnit.net](https://xunit.net/) test platform. It provides a uniform and convenient way of doing unit test for all project types in .NET. From e298d60f45e5c124283a4fc5f58cd8361c0b81b6 Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 18:22:13 +0100 Subject: [PATCH 3/7] ignore markdown --- .github/workflows/pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 5eb32b1..ad777bf 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -7,6 +7,7 @@ on: - .docfx - .github - .nuget + - '**.md' workflow_dispatch: inputs: configuration: From 11c62fa2c58079bb204b49d53da70278ecec3598 Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 18:30:18 +0100 Subject: [PATCH 4/7] :construction_worker: added paths-ignore on push --- .github/workflows/pipelines.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index ad777bf..cfd39a9 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -1,7 +1,13 @@ name: xUnit Ext. CI/CD Pipeline on: pull_request: - branches: [main] + paths-ignore: + - .codecov + - .docfx + - .github + - .nuget + - '**.md' + push: paths-ignore: - .codecov - .docfx From 34793d03d3b1c2dbb243d0f3f732ec8c406811cc Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 18:31:11 +0100 Subject: [PATCH 5/7] include branches again --- .github/workflows/pipelines.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index cfd39a9..4f71003 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -1,6 +1,7 @@ name: xUnit Ext. CI/CD Pipeline on: pull_request: + branches: [main] paths-ignore: - .codecov - .docfx @@ -8,6 +9,7 @@ on: - .nuget - '**.md' push: + branches: [main] paths-ignore: - .codecov - .docfx From 71ca5bcdb9c22c6a114ebdcb6a3b004ea47a5c28 Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 19:56:28 +0100 Subject: [PATCH 6/7] fix --- .github/workflows/pipelines.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipelines.yml b/.github/workflows/pipelines.yml index 4f71003..1f7ce31 100644 --- a/.github/workflows/pipelines.yml +++ b/.github/workflows/pipelines.yml @@ -3,18 +3,18 @@ on: pull_request: branches: [main] paths-ignore: - - .codecov - - .docfx - - .github - - .nuget + - .codecov/** + - .docfx/** + - .github/** + - .nuget/** - '**.md' push: branches: [main] paths-ignore: - - .codecov - - .docfx - - .github - - .nuget + - .codecov/** + - .docfx/** + - .github/** + - .nuget/** - '**.md' workflow_dispatch: inputs: From f88c8cbb109acf80fd4d576dbc55108b828f57b4 Mon Sep 17 00:00:00 2001 From: Michael Mortensen Date: Fri, 15 Nov 2024 20:11:46 +0100 Subject: [PATCH 7/7] cleanup --- .github/workflows/scorecard.yml | 37 +++------------------------------ 1 file changed, 3 insertions(+), 34 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index dabbb62..bf9d97c 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -1,20 +1,11 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - name: Scorecard supply-chain security on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained schedule: - cron: '45 17 * * 2' push: branches: [ "main" ] -# Declare default permissions as read only. permissions: read-all jobs: @@ -22,51 +13,29 @@ jobs: name: Scorecard analysis runs-on: ubuntu-latest permissions: - # Needed to upload the results to code-scanning dashboard. security-events: write - # Needed to publish results and get a badge (see publish_results below). id-token: write - # Uncomment the permissions below if installing in a private repository. - # contents: read - # actions: read steps: - name: "Checkout code" - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@v4 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + uses: ossf/scorecard-action@v2 with: results_file: results.sarif results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecard on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. publish_results: true - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + uses: actions/upload-artifact@4 with: name: SARIF file path: results.sarif retention-days: 5 - # Upload the results to GitHub's code scanning dashboard (optional). - # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@v3 with: