Skip to content

chore: oss-hygiene — dependabot + dep-review + scorecard, harden workflow permissions#95

Merged
jahala merged 1 commit into
jahala:mainfrom
paulnsorensen:paulnsorensen/oss-hygiene-free-ci
May 16, 2026
Merged

chore: oss-hygiene — dependabot + dep-review + scorecard, harden workflow permissions#95
jahala merged 1 commit into
jahala:mainfrom
paulnsorensen:paulnsorensen/oss-hygiene-free-ci

Conversation

@paulnsorensen

Copy link
Copy Markdown
Collaborator

Summary

Closes the free supply-chain and workflow-hardening gaps surfaced by an /oss-hygiene audit. No paid GitHub features required — everything here is free for public repos.

Added

  • .github/dependabot.yml — weekly version updates for the three ecosystems present in this repo:
    • cargo (root Cargo.toml)
    • npm (npm/package.json — the install wrapper)
    • github-actions (keeps action versions current, with minor/patch grouping)
    • Python under benchmark/ is skipped — it's the evaluation harness, no top-level manifest.
  • .github/workflows/dependency-review.yml — fails PRs that introduce moderate-or-worse vulnerable deps or disallowed licenses. Free on public repos.
  • .github/workflows/scorecard.yml — publishes OpenSSF Scorecard SARIF + badge data. Runs on push to main and weekly.

CodeQL is not added: Rust isn't supported by actions/codeql-action, and the npm/ surface is just a binary-download proxy — signal would be near-zero.

Hardened

Per OSSF Scorecard's Token-Permissions check:

  • ci.yml — adds top-level permissions: { contents: read }. The workflow only reads; no reason to inherit write defaults.
  • release.yml — top-level contents: write is too broad. Tightened to contents: read and the write scope moved to only the build job, which actually needs it for softprops/action-gh-release. version-check, publish-crate, and publish-npm inherit read-only — the publish jobs use CARGO_REGISTRY_TOKEN / NPM_TOKEN secrets, not GITHUB_TOKEN, so this is safe.

Dangerous-Workflow audit: clean. Neither workflow uses pull_request_target.

Follow-ups (filed as separate issues)

  • Enable free GitHub-native security features (Dependabot alerts, secret scanning, push protection).
  • Scaffold community standards files (CoC, CONTRIBUTING, SECURITY, issue/PR templates).
  • Register for the OpenSSF Best Practices Badge and add the Scorecard badge to the README.

Test plan

  • CI green on this PR (existing cargo fmt / clippy / test job, now with contents: read).
  • dependency-review job runs on this PR and passes (no new deps were introduced).
  • After merge, scorecard.yml runs on main and uploads SARIF without error.
  • Dependabot opens grouped PRs for outdated cargo / npm / actions deps within ~24h.
  • Next tagged release still succeeds end-to-end (build matrix + releases + crates.io + npm).

🧀 Generated via the /oss-hygiene skill from skillz-that-grillz.

Add three supply-chain hygiene workflows and tighten GITHUB_TOKEN
permissions on existing workflows. All free for public repos.

New:
- .github/dependabot.yml — weekly version updates for cargo, npm, github-actions
- .github/workflows/dependency-review.yml — block PRs that introduce
  vulnerable or disallowed-license deps (free on public repos)
- .github/workflows/scorecard.yml — OpenSSF Scorecard analysis and
  badge publication

Hardened:
- ci.yml — add top-level `permissions: contents: read` (least privilege)
- release.yml — drop top-level `contents: write`; scope it to the `build`
  job that actually needs it for softprops/action-gh-release. Publish
  jobs use CARGO_REGISTRY_TOKEN / NPM_TOKEN secrets and don't need any
  GITHUB_TOKEN write scope.

Generated via the /oss-hygiene skill from skillz-that-grillz.
@jahala jahala merged commit e6b4514 into jahala:main May 16, 2026
2 of 3 checks passed
@jahala

jahala commented May 16, 2026

Copy link
Copy Markdown
Owner

Thank you so much, again, @paulnsorensen for contributing this! As I've mentioned, I'm not really a developer - so these things you are helping improve now, are things I'm completely blank about. Thank you! 🙏🏻 Much appreciated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants