From a24694e871a77ca0e05e80c4f44dc0fa09483a95 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Sun, 14 Sep 2025 20:12:33 -0700 Subject: [PATCH 1/3] Add OSV scanner workflow Except for some changes to the comments, this is the same as the improved OSV workflow that we developed in the context of ReCirq recently. --- .github/workflows/osv-scanner.yaml | 153 +++++++++++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 .github/workflows/osv-scanner.yaml diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml new file mode 100644 index 00000000..13763023 --- /dev/null +++ b/.github/workflows/osv-scanner.yaml @@ -0,0 +1,153 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Summary: run the Open Source Vulnerabilities scanner on PRs & weekly. +# +# The OSV scanner is a dependency vulnerability scanner that identifies known +# vulnerabilities in a project's dependencies. It supports C/C++, Python, Java, +# JavaScript, and others. The findings are reported in the repo's code-scanning +# results page, https://github.com/quantumlib/REPO/security/code-scanning/. +# For more OSV scanner examples and options, including how to ignore specific +# vulnerabilities, see https://google.github.io/osv-scanner/github-action/. + +name: OSV vulnerabilities scan +run-name: Run open-source vulnerabilities (OSV) scanner + +on: + schedule: + # Run weekly on Saturdays. + - cron: '30 10 * * 6' + + pull_request: + types: [opened, synchronize] + branches: + - main + - master + + # Support merge queues. + merge_group: + types: + - checks_requested + + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true + +concurrency: + # Cancel any previously-started but still active runs on the same branch. + cancel-in-progress: true + group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} + +# Declare default workflow permissions as read only. +permissions: read-all + +jobs: + osv-scan: + if: github.repository_owner == 'quantumlib' + name: OSV scanner + runs-on: ubuntu-24.04 + timeout-minutes: 15 + permissions: + # Needed to upload the results to code-scanning dashboard: + security-events: write + env: + # Setting Bash SHELLOPTS here takes effect for all shell commands below. + SHELLOPTS: ${{inputs.debug && 'xtrace' || '' }} + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + + - name: Check out the target branch + run: | + git checkout ${{github.base_ref || github.ref_name}} + git submodule update --recursive + + - name: Run OSV scanner on existing code + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + continue-on-error: true + with: + scan-args: |- + --include-git-root + --format=json + --output=old-results.json + --recursive + ./ + + - name: Check out current branch + # Use -f in case any changes were made by osv-scanner. + run: | + git checkout -f "$GITHUB_SHA" + git submodule update --recursive + + - name: Run OSV scanner on new code + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-scanner-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + continue-on-error: true + with: + scan-args: |- + --include-git-root + --format=json + --output=new-results.json + --recursive + ./ + + - name: Run the OSV scanner reporter for the job summary page + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + with: + scan-args: |- + --output=markdown:output.md + --old=old-results.json + --new=new-results.json + --fail-on-vuln=false + + - name: Write the results to the job summary page + run: cat output.md >> "$GITHUB_STEP_SUMMARY" + + - name: Run the OSV scanner reporter for the code-scanning dashboard + # yamllint disable rule:line-length + uses: google/osv-scanner-action/osv-reporter-action@b00f71e051ddddc6e46a193c31c8c0bf283bf9e6 # v2.1.0 + with: + scan-args: |- + --output=osv-results.sarif + --old=old-results.json + --new=new-results.json + --gh-annotations=true + --fail-on-vuln=true + + - name: Upload results to the repository's code-scanning results dashboard + id: upload_artifact + # yamllint disable rule:line-length + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + with: + sarif_file: osv-results.sarif + + - if: github.event.inputs.debug == true + name: Upload results as artifacts to the workflow Summary page + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: SARIF file + path: osv-results.sarif + retention-days: 5 + + - name: Error troubleshooter + if: ${{always() && steps.upload_artifact.outcome == 'failure'}} + run: echo '::error::Artifact upload failed. Check the workflow logs.' From f3f79e9d81f83079c21d4060b0fdfeabd03a1ce9 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Sun, 14 Sep 2025 20:12:48 -0700 Subject: [PATCH 2/3] Add Scorecard scanner workflow Except for some changes to the comments, this is the same as the improved Scorecard workflow that we developed in the context of ReCirq recently. --- .github/workflows/scorecard-scanner.yaml | 112 +++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 .github/workflows/scorecard-scanner.yaml diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml new file mode 100644 index 00000000..a7355342 --- /dev/null +++ b/.github/workflows/scorecard-scanner.yaml @@ -0,0 +1,112 @@ +# Copyright 2025 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Summary: run the OSSF Scorecard scanner on PRs and every night. +# +# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool +# that evaluates a project's security practices. Its use is suggested by +# Google's GitHub team. Scorecard's findings are reported in a repo's scanning +# results page, https://github.com/quantumlib/REPO/security/code-scanning/. + +name: Scorecard analysis +run-name: Run Scorecard scanner for security best practices + +on: + schedule: + # Run weekly on Saturdays. + - cron: '30 9 * * 6' + + pull_request: + types: [opened, synchronize] + branches: + - main + - master + + # Support merge queues. + merge_group: + types: + - checks_requested + + # Allow manual invocation. + workflow_dispatch: + inputs: + debug: + description: 'Run with debugging options' + type: boolean + default: true + +concurrency: + # Cancel any previously-started but still active runs on the same branch. + cancel-in-progress: true + group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}} + +# Declare default workflow permissions as read only. +permissions: read-all + +jobs: + run-scorecard: + if: github.repository_owner == 'quantumlib' + name: Scorecard analyzer + runs-on: ubuntu-24.04 + permissions: + security-events: write + id-token: write + timeout-minutes: 15 + steps: + - name: Check out a copy of the git repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run Scorecard analysis + # yamllint disable rule:line-length + uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2 + with: + # Save the results + results_file: scorecard-results.sarif + results_format: sarif + # See https://github.com/ossf/scorecard-action#publishing-results. + publish_results: true + + - name: Upload results to code-scanning dashboard + # yamllint disable rule:line-length + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.5 + with: + sarif_file: scorecard-results.sarif + + - if: github.event.inputs.debug == true + name: Upload results as artifacts to the workflow Summary page + # yamllint disable rule:line-length + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: Scorecard SARIF file + path: scorecard-results.sarif + retention-days: 5 + + # Scorecard currently (ver. 2.4.x) doesn't allow submissions from jobs having + # steps that use "run:". To print to the summary, we need to use another job. + write-summary: + name: Scorecard results + needs: run-scorecard + runs-on: ubuntu-24.04 + timeout-minutes: 5 + steps: + - name: Write the Scorecard report page link to the workflow summary + run: | + repo="${{github.repository}}" + url="https://scorecard.dev/viewer/?uri=github.com/${repo}" + { + echo -n "The results are available on the OpenSSF Scorecard " + echo "[report page for ${{github.repository}}]($url)." + } >> "$GITHUB_STEP_SUMMARY" From 702b4644c7bd7f6c6966ed37035324554fee76b1 Mon Sep 17 00:00:00 2001 From: Michael Hucka Date: Mon, 22 Sep 2025 18:52:18 -0700 Subject: [PATCH 3/3] Streamline comments -- no code change This shortens the explanatory comment at the top and moves it to make better use of the workflow name as a summary. In osv-scanner.yaml, there is an additional change to the name of a step, to make it more descriptive. No code changes. --- .github/workflows/osv-scanner.yaml | 10 ++++------ .github/workflows/scorecard-scanner.yaml | 8 +++----- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/osv-scanner.yaml b/.github/workflows/osv-scanner.yaml index 13763023..23286e00 100644 --- a/.github/workflows/osv-scanner.yaml +++ b/.github/workflows/osv-scanner.yaml @@ -12,8 +12,9 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Summary: run the Open Source Vulnerabilities scanner on PRs & weekly. -# +name: OSV vulnerabilities scan +run-name: Run open-source vulnerabilities (OSV) scanner + # The OSV scanner is a dependency vulnerability scanner that identifies known # vulnerabilities in a project's dependencies. It supports C/C++, Python, Java, # JavaScript, and others. The findings are reported in the repo's code-scanning @@ -21,9 +22,6 @@ # For more OSV scanner examples and options, including how to ignore specific # vulnerabilities, see https://google.github.io/osv-scanner/github-action/. -name: OSV vulnerabilities scan -run-name: Run open-source vulnerabilities (OSV) scanner - on: schedule: # Run weekly on Saturdays. @@ -148,6 +146,6 @@ jobs: path: osv-results.sarif retention-days: 5 - - name: Error troubleshooter + - name: Print an alert message if an error occurred if: ${{always() && steps.upload_artifact.outcome == 'failure'}} run: echo '::error::Artifact upload failed. Check the workflow logs.' diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml index a7355342..880939ab 100644 --- a/.github/workflows/scorecard-scanner.yaml +++ b/.github/workflows/scorecard-scanner.yaml @@ -12,16 +12,14 @@ # See the License for the specific language governing permissions and # limitations under the License. -# Summary: run the OSSF Scorecard scanner on PRs and every night. -# +name: Scorecard analysis +run-name: Run Scorecard scanner for security best practices + # Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool # that evaluates a project's security practices. Its use is suggested by # Google's GitHub team. Scorecard's findings are reported in a repo's scanning # results page, https://github.com/quantumlib/REPO/security/code-scanning/. -name: Scorecard analysis -run-name: Run Scorecard scanner for security best practices - on: schedule: # Run weekly on Saturdays.