You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
samples/.github/workflows/scorecards-analysis.yml

56 lines
1.9 KiB

name: Scorecards supply-chain security
on:
# Only the default branch is supported.
branch_protection_rule:
push:
branches: [ main ]
# Declare default permissions as read only.
permissions: read-all
jobs:
analysis:
name: Scorecards analysis
runs-on: ubuntu-latest
if: ${{ github.repository == 'flutter/samples' }}
permissions:
# Needed to upload the results to code-scanning dashboard.
security-events: write
actions: read
contents: read
id-token: write
steps:
- name: "Checkout code"
Bump actions/checkout from 4.1.0 to 4.1.1 (#2043) Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.0 to 4.1.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v4.1.1</h2> <h2>What's Changed</h2> <ul> <li>Update CODEOWNERS to Launch team by <a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li> <li>Correct link to GitHub Docs by <a href="https://github.com/peterbe"><code>@​peterbe</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li> <li>Link to release page from what's new section by <a href="https://github.com/cory-miller"><code>@​cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/joshmgross"><code>@​joshmgross</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li> <li><a href="https://github.com/peterbe"><code>@​peterbe</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v4.1.1">https://github.com/actions/checkout/compare/v4...v4.1.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/checkout/commit/b4ffde65f46336ab88eb53be808477a3936bae11"><code>b4ffde6</code></a> Link to release page from what's new section (<a href="https://redirect.github.com/actions/checkout/issues/1514">#1514</a>)</li> <li><a href="https://github.com/actions/checkout/commit/8530928916aaef40f59e6f221989ccb31f5759e7"><code>8530928</code></a> Correct link to GitHub Docs (<a href="https://redirect.github.com/actions/checkout/issues/1511">#1511</a>)</li> <li><a href="https://github.com/actions/checkout/commit/7cdaf2fbc075e6f3b9ca94cfd6cec5adc8a75622"><code>7cdaf2f</code></a> Update CODEOWNERS to Launch team (<a href="https://redirect.github.com/actions/checkout/issues/1510">#1510</a>)</li> <li>See full diff in <a href="https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...b4ffde65f46336ab88eb53be808477a3936bae11">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/checkout&package-manager=github_actions&previous-version=4.1.0&new-version=4.1.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
1 year ago
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
persist-credentials: false
- name: "Run analysis"
Bump ossf/scorecard-action from 2.3.0 to 2.3.1 (#2068) Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.0 to 2.3.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's releases</a>.</em></p> <blockquote> <h2>v2.3.1</h2> <h2>What's Changed</h2> <ul> <li>:seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by <a href="https://github.com/spencerschrock"><code>@​spencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1282">ossf/scorecard-action#1282</a> <ul> <li>Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the <a href="https://github.com/ossf/scorecard/releases/tag/v4.13.1">v4.13.1</a> release notes</li> </ul> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1">https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ossf/scorecard-action/commit/0864cf19026789058feabb7e87baa5f140aac736"><code>0864cf1</code></a> :seedling: Bump docker tag to for v2.3.1 release (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1284">#1284</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/72df3bff668d052aaec251accaffec0b280410fb"><code>72df3bf</code></a> :seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1282">#1282</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/0ea411f94ac145b6fd793458b7f75ebbe7ae0a8f"><code>0ea411f</code></a> :seedling: Bump the docker-images group with 1 update (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1281">#1281</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/dbfd042453ccc43ade96943685dbece2dd86bbae"><code>dbfd042</code></a> :seedling: Bump the github-actions group with 1 update (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1280">#1280</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/2fa1e2fa153141e2950c7e1299ed05e2081ead0c"><code>2fa1e2f</code></a> :seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1278">#1278</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/652ddd06c802ac1ba4021a9f02978dc5150b223e"><code>652ddd0</code></a> :seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1277">#1277</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/28d0c92b8bb9dd266a8cf4dde7bae71c06a0c62f"><code>28d0c92</code></a> :seedling: Group Dependabot updates for GitHub Actions and Dockerfiles (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1276">#1276</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/cb50491a46a858cb57669a16a720b7a00e1f9d29"><code>cb50491</code></a> :seedling: Bump distroless/base from <code>a35b652</code> to <code>b31a6e0</code> (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1275">#1275</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/87157ac77d7ec18a631049bc92fdac7ee63a471a"><code>87157ac</code></a> :seedling: Bump github/codeql-action from 2.21.9 to 2.22.1 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1274">#1274</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/7c1648b23e27a96acf7c3842fd1921d16bd8d4d2"><code>7c1648b</code></a> :seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1273">#1273</a>)</li> <li>Additional commits viewable in <a href="https://github.com/ossf/scorecard-action/compare/483ef80eb98fb506c348f7d62e28055e49fe2398...0864cf19026789058feabb7e87baa5f140aac736">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.3.0&new-version=2.3.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
1 year ago
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736
with:
results_file: results.sarif
results_format: sarif
# Read-only PAT token. To create it,
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
# Publish the results to enable scorecard badges. For more details, see
# https://github.com/ossf/scorecard-action#publishing-results.
# For private repositories, `publish_results` will automatically be set to `false`,
# regardless of the value entered here.
publish_results: true
# Upload the results as artifacts (optional).
- name: "Upload artifact"
Bump actions/upload-artifact from 3.1.2 to 3.1.3 (#2012) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.2 to 3.1.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v3.1.3</h2> <h2>What's Changed</h2> <ul> <li>chore(github): remove trailing whitespaces by <a href="https://github.com/ljmf00"><code>@​ljmf00</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/313">actions/upload-artifact#313</a></li> <li>Bump <code>@​actions/artifact</code> version to v1.1.2 by <a href="https://github.com/bethanyj28"><code>@​bethanyj28</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/436">actions/upload-artifact#436</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v3...v3.1.3">https://github.com/actions/upload-artifact/compare/v3...v3.1.3</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/a8a3f3ad30e3422c9c7b888a15615d19a852ae32"><code>a8a3f3a</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/436">#436</a> from bethanyj28/main</li> <li><a href="https://github.com/actions/upload-artifact/commit/7b48769c030f7121ecb01c3558dd3cd8b9660a20"><code>7b48769</code></a> update dependency cache</li> <li><a href="https://github.com/actions/upload-artifact/commit/66630398dfe3d04deb4c489ac54b9b468f071706"><code>6663039</code></a> update dist/index.js</li> <li><a href="https://github.com/actions/upload-artifact/commit/55e76b779da56f582e27a6f7aff54c1e610551e5"><code>55e76b7</code></a> bump <code>@​actions/artifact</code> version</li> <li><a href="https://github.com/actions/upload-artifact/commit/65d862660abb392b8c4a3d1195a2108db131dd05"><code>65d8626</code></a> chore(github): remove trailing whitespaces (<a href="https://redirect.github.com/actions/upload-artifact/issues/313">#313</a>)</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/0b7f8abb1508181956e8e162db84b466c27e18ce...a8a3f3ad30e3422c9c7b888a15615d19a852ae32">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=3.1.2&new-version=3.1.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
1 year ago
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32
with:
name: SARIF file
path: results.sarif
retention-days: 5
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a
with:
sarif_file: results.sarif