Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

improve OSSF score #2125

Merged
merged 1 commit into from
Jan 17, 2024
Merged

improve OSSF score #2125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/ci-windows-trigger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,13 +4,18 @@ on:
issue_comment:
types: [created]

permissions:
contents: read

jobs:
windows-test-command-trigger:
permissions:
pull-requests: write # for peter-evans/slash-command-dispatch to create PR reaction
runs-on: ubuntu-22.04

steps:
- name: Trigger windows-test command
uses: peter-evans/slash-command-dispatch@v3
uses: peter-evans/slash-command-dispatch@f996d7b7aae9059759ac55e978cff76d91853301 # v3.0.2
with:
token: ${{ secrets.WINDOWS_WORKERS_TOKEN }}
# The command to trigger the pipeline: e.g. /windows-test
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/ci-windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
timeout-minutes: 30
steps:
- name: Create pending status
uses: actions/github-script@v7.0.1
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
Expand All @@ -27,7 +27,7 @@ jobs:
})

- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.event.client_payload.pull_request.head.repo.full_name }}
Expand Down Expand Up @@ -55,7 +55,7 @@ jobs:
gotestsum --format short-verbose --rerun-fails=5 --packages="./..." --junitfile TEST-unit.xml -- -timeout=30m

- name: Create success status
uses: actions/github-script@v7.0.1
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: success()
with:
github-token: ${{secrets.GITHUB_TOKEN}}
Expand All @@ -70,7 +70,7 @@ jobs:
})

- name: Create failure status
uses: actions/github-script@v7.0.1
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
if: failure()
with:
github-token: ${{secrets.GITHUB_TOKEN}}
Expand Down
9 changes: 6 additions & 3 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,22 +138,25 @@ jobs:
ryuk-disabled: false

sonarcloud:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for sonarsource/sonarcloud-github-action to determine which PR to decorate
if: ${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}
needs: test-examples
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0

- uses: actions/download-artifact@v3
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: sonarcloud

- name: Analyze with SonarCloud
uses: sonarsource/sonarcloud-github-action@master
uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
3 changes: 3 additions & 0 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ on:
schedule:
- cron: '40 6 * * 5'

permissions:
contents: read

jobs:
analyze:
name: Analyze
Expand Down
6 changes: 6 additions & 0 deletions .github/workflows/release-drafter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,14 @@ on:
branches:
- main

permissions:
contents: read

jobs:
update_release_draft:
permissions:
contents: write # for release-drafter/release-drafter to create a github release
pull-requests: write # for release-drafter/release-drafter to add label to PR
runs-on: ubuntu-latest
steps:
- uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.19.0
Expand Down
9 changes: 6 additions & 3 deletions modulegen/_template/ci.yml.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,22 +138,25 @@ jobs:
ryuk-disabled: false

sonarcloud:
permissions:
contents: read # for actions/checkout to fetch code
pull-requests: read # for sonarsource/sonarcloud-github-action to determine which PR to decorate
if: {{ "${{ github.ref_name == 'main' && github.repository_owner == 'testcontainers' }}" }}
needs: test-examples
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v4
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0

- uses: actions/download-artifact@v3
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: sonarcloud

- name: Analyze with SonarCloud
uses: sonarsource/sonarcloud-github-action@master
uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
env:
GITHUB_TOKEN: {{ "${{ secrets.GITHUB_TOKEN }}" }}
SONAR_TOKEN: {{ "${{ secrets.SONAR_TOKEN }}" }}
Loading