chore(security): claim SLSA Build L2 and add OpenSSF Scorecard#61
Merged
Conversation
The release already meets SLSA Build L2 — actions/attest-build-provenance generates provenance on a GitHub-hosted runner and signs it via keyless Sigstore, which is the hosted+signed delta over L1. Update the README badge (L1 -> L2) and the release.yml comment to reflect what the pipeline does; no pipeline change. (L3, the isolated non-forgeable builder, stays out of scope.) Add a scorecard.yml workflow running OpenSSF Scorecard on the default branch (devel) plus a weekly cron: it publishes results to the public OpenSSF API (publish_results: true, powering the README badge / scorecard.dev viewer) and uploads SARIF to the Security tab. All actions pinned by commit SHA. Closes #60 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Use ossf/scorecard-action@v2.4.3 verbatim per the marketplace example, rather than the equivalent commit SHA. Same action and version (the v2.4.3 tag dereferences to 4eaacf0); the other actions stay SHA-pinned. Refs #60 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…ce example)" Keep ossf/scorecard-action pinned by commit SHA (4eaacf0 # v2.4.3), matching the canonical scorecard.yml in peczenyj/lua-gdpr-iab-tcfv2 and Scorecard's own Pinned-Dependencies check. All four actions are SHA-pinned again. Refs #60 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Add the marketplace-recommended job conditional so the analysis (and its publish_results step) only runs from the default branch or on a pull_request: if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request' publish_results only works from the default branch; the guard makes that explicit and is harmless given the push trigger already targets devel. Refs #60 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Replace scorecard.yml with the official OSSF marketplace starter (its third-party disclaimer, Branch-Protection / Maintained check links, repo_token and publish_results notes, default-branch `if` guard) but with verified current pinned SHAs instead of the template's stale ones: actions/checkout v4.2.2 -> v6.0.2 (de0fac2) ossf/scorecard-action v2.4.1 -> v2.4.3 (4eaacf0) actions/upload-artifact v4.6.1 -> v7.0.1 (043fb46) github/codeql-action/upload-sarif @V3 -> v4.36.0 (f52b05f, now pinned) Also corrects a wrong codeql SHA from the prior commit (e46ed2c was not v4.35.3). All SHAs resolved via the GitHub API against each action's latest release. Refs #60 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
The README badge and release.yml comment already claim L2; SECURITY.md still said L1, which would contradict them. Update the "Build provenance" section to L2 and spell out why it qualifies: the attestation is generated on a GitHub-hosted runner and keyless-signed via Sigstore (OIDC) — the hosted + platform-signed properties that distinguish L2 from L1. Refs #60 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Supply-chain posture for the v0.6.1 release.
SLSA Build L2 (label only)
The release workflow already satisfies SLSA Build Level 2:
actions/attest-build-provenancegenerates provenance on a GitHub-hosted runner and signs it via keyless Sigstore (id-token: write), stored in the attestations API. Hosted + signed is precisely the L1→L2 delta, so no pipeline change — only the README badge (SLSA-Build_L1→L2) and therelease.ymlcomment were stale. L3 (isolated, non-forgeable builder) is intentionally out of scope.OpenSSF Scorecard
New
.github/workflows/scorecard.yml:devel) +branch_protection_rule+ a weekly cron (Sat 01:30 UTC). Scorecard only publishes from the default branch.publish_results: true→ score is public and powers the README badge (scorecard.dev viewer).security-events: write.permissions: read-all; the job elevates onlysecurity-events/id-token.ossf/scorecardworkflow.README gets the SLSA L2 badge bump plus an OpenSSF Scorecard badge. The badge will populate once this lands on
develand the workflow's first run publishes.Test plan
yaml.safe_load).task cigreen (no Go changes).Closes #60
🤖 Generated with Claude Code