From 20def6b63b1cff923ed868cd15fe03a0f97f79ad Mon Sep 17 00:00:00 2001 From: Bernardo Codesido Date: Thu, 17 Oct 2024 13:15:35 -0300 Subject: [PATCH] Add dependabot configuration Add scorecard workflow Add codeql workflow Add dependency-check workflow --- .github/dependabot.yml | 13 ++++ .github/workflows/codeql.yml | 91 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 20 ++++++ .github/workflows/scorecard.yml | 47 +++++++++++++ 4 files changed, 171 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..9b28445ce --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +version: 2 +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: github-actions + directory: / + schedule: + interval: daily + + # Maintain dependencies for Docker + - package-ecosystem: docker + directory: / + schedule: + interval: daily \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..483c11caa --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,91 @@ +name: "CodeQL" + +on: + push: + branches: [ "master", "*-rc" ] + pull_request: + branches: [ "master", "*-rc" ] + schedule: + - cron: "0 0 * * *" + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ java ] + + steps: + - name: Checkout + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + + - name: Setup Java JDK + if: ${{ matrix.language == 'java' }} + uses: actions/setup-java@b36c23c0d998641eff861008f374ee103c25ac73 #v4.4.0 + with: + java-version: '17' + distribution: 'temurin' + + - name: Checkout RSKj repo + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + repository: rsksmart/rskj + token: ${{ secrets.GITHUB_TOKEN }} + path: rskj + fetch-depth: 0 + + - name: Check out appropriate rskj reference + if: ${{ matrix.language == 'java' }} + working-directory: rskj + env: + CHECKOUT_REF: ${{ github.head_ref }} + run: | + git switch "$CHECKOUT_REF" + + - name: Set DONT-COMMIT-settings.gradle + if: ${{ matrix.language == 'java' }} + run: | + cat <<'EOF' >DONT-COMMIT-settings.gradle + includeBuild('./rskj') { + dependencySubstitution { + all { DependencySubstitution dependency -> + if (dependency.requested instanceof ModuleComponentSelector + && dependency.requested.group == 'co.rsk' + && dependency.requested.module == 'rskj-core' + && (dependency.requested.version.endsWith('SNAPSHOT') || dependency.requested.version.endsWith('RC'))) { + def targetProject = project(":${dependency.requested.module}") + if (targetProject != null) { + println('---- USING LOCAL ' + dependency.requested.displayName + ' PROJECT ----') + dependency.useTarget targetProject + } + } + } + } + } + EOF + + - name: Before Index (java) + if: ${{ matrix.language == 'java' }} + run: ./configure.sh + + - name: Initialize CodeQL + uses: github/codeql-action/init@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@083cd45dc7d463f048a5d0975943f0e19e9c9378 #v2.26.13 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..e513e55f8 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: read-all + +jobs: + dependency-review: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + steps: + - name: 'Checkout Repository' + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + + - name: 'Dependency Review' + uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4 + with: + fail-on-severity: high + comment-summary-in-pr: true \ No newline at end of file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..d357502f8 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,47 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '33 2 * * 2' + push: + branches: [ "master" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v4.4.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12 + with: + sarif_file: results.sarif