From 4c358f3148b7d6bcbe6adfdcf77a663d19751423 Mon Sep 17 00:00:00 2001 From: Carlos Gonzalez Date: Thu, 25 Jul 2024 13:33:09 +0100 Subject: [PATCH] [CP-Sec] Enable OpenSSF Scorecard Enable OpenSSF Scorecard workflow, add badge to README file Remove deprecated "Build and Test" badge from README file --- .github/workflows/scorecard.yml | 53 +++++++++++++++++++++++++++++++++ README.md | 3 +- 2 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..6f2c29b83 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,53 @@ +# Scorecards' GitHub action + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + schedule: + - cron: '8 11 * * 2' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 2e77664f3..5f9c362be 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,6 @@ # portBLAS Implementation -=== -[![Build and Test](https://github.com/codeplaysoftware/portBLAS/actions/workflows/build-and-test.yml/badge.svg?event=push)](https://github.com/codeplaysoftware/portBLAS/actions/workflows/build-and-test.yml) +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/codeplaysoftware/portBLAS/badge)](https://scorecard.dev/viewer/?uri=github.com/codeplaysoftware/portBLAS) portBLAS implements BLAS - [Basic Linear Algebra Subroutines](https://en.wikipedia.org/wiki/Basic_Linear_Algebra_Subprograms) - using [SYCL](https://www.khronos.org/sycl/).