diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e750e1a..53cab67 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,9 +5,13 @@ updates: directory: "/" schedule: interval: "weekly" + labels: + - "dependencies" # Maintain dependencies for npm - package-ecosystem: "npm" directory: "/" schedule: interval: "weekly" + labels: + - "dependencies" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fdcc19a..ce4a95a 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -6,8 +6,7 @@ on: branches: - main -permissions: - contents: write +permissions: read-all concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} @@ -40,6 +39,11 @@ jobs: if: contains('refs/heads/main OR refs/heads/next', github.ref) runs-on: ubuntu-latest name: Publish + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 2d3ace5..9fc2d0b 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -2,6 +2,9 @@ name: "Pull Request Labeler" on: - pull_request_target +# Declare default permissions as read only. +permissions: read-all + jobs: triage: permissions: @@ -9,6 +12,6 @@ jobs: pull-requests: write runs-on: ubuntu-latest steps: - - uses: actions/labeler@v4 + - uses: actions/labeler@v5 with: repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 8852d7c..f6e180f 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -4,7 +4,7 @@ on: - cron: "30 1 * * *" permissions: - contents: write # for branch deletion + contents: write issues: write pull-requests: write @@ -12,7 +12,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v8 + - uses: actions/stale@v9 with: stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days." stale-pr-message: "This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days." diff --git a/README.md b/README.md index 139a466..d6b3dc3 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,5 @@ -> [!WARNING] -> This plugin is still in early development and not production ready just yet. Use with caution! -> You can check the current progress via [Milestone - V1](https://github.com/janbiasi/rollup-plugin-sbom/milestone/1). - -[![CI](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml) ![npm](https://img.shields.io/npm/v/rollup-plugin-sbom) -![npm type definitions](https://img.shields.io/npm/types/rollup-plugin-sbom) -![npm peer dependency version (scoped)](https://img.shields.io/npm/dependency-version/rollup-plugin-sbom/peer/rollup?logo=rollupdotjs&color=%23EA483F) +[![CI](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml) [![CodeQL](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/github-code-scanning/codeql) ![npm](https://img.shields.io/npm/v/rollup-plugin-sbom) +![npm peer dependency version (scoped)](https://img.shields.io/npm/dependency-version/rollup-plugin-sbom/peer/rollup?logo=rollupdotjs&color=%23EA483F) ![img](https://img.shields.io/badge/semver-2.0.0-green?logo=semver) ![npm type definitions](https://img.shields.io/npm/types/rollup-plugin-sbom) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/janbiasi/rollup-plugin-sbom/badge)](https://securityscorecards.dev/viewer/?uri=github.com/janbiasi/rollup-plugin-sbom) # rollup-plugin-sbom diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..597ce5f --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policy + +## Supported Versions + +Only the latest minor version of the plugin is supported with security updates. These updates are published as new patch versions. All versioning follows Semantic Versioning. You can find the latest version [released on GitHub](https://github.com/janbiasi/rollup-plugin-sbom/releases) and simultaneously published on NPM. + +| Version | Supported | +| ------- | ------------------ | +| 0.x.x | :x: | +| 1.x.x | :white_check_mark: | + +## Reporting a Vulnerability + +We really appreciate your help in finding bugs and vulnerabilities in this repository. +Please report bugs and vulnerabilities using [GitHub Issues](https://github.com/janbiasi/rollup-plugin-sbom/issues). diff --git a/package.json b/package.json index 2481623..4a32fa9 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,10 @@ "types": "./dist/index.d.ts" } }, + "publishConfig": { + "access": "public", + "provenance": true + }, "scripts": { "lint": "pnpm lint:prettier && pnpm lint:eslint", "lint:prettier": "prettier -l .", @@ -44,6 +48,9 @@ "cyclonedx" ], "author": "Jan Biasi (https://github.com/janbiasi)", + "contributors": [ + "Jan Kott (https://github.com/boostvolt)" + ], "license": "MIT", "dependencies": { "@cyclonedx/cyclonedx-library": "6.1.0",