ci: various updates and ossf

.github/dependabot.yml

@@ -5,9 +5,13 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
 
   # Maintain dependencies for npm
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"

.github/workflows/ci.yml

@@ -6,8 +6,7 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
+permissions: read-all
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
@@ -40,6 +39,11 @@ jobs:
     if: contains('refs/heads/main OR refs/heads/next', github.ref)
     runs-on: ubuntu-latest
     name: Publish
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
       - uses: actions/checkout@v4
         with:

.github/workflows/labeler.yml

@@ -2,13 +2,16 @@ name: "Pull Request Labeler"
 on:
   - pull_request_target
 
+# Declare default permissions as read only.
+permissions: read-all
+
 jobs:
   triage:
     permissions:
       contents: read
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@v5
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yml

@@ -4,15 +4,15 @@ on:
     - cron: "30 1 * * *"
 
 permissions:
-  contents: write # for branch deletion
+  contents: write
   issues: write
   pull-requests: write
 
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@v9
         with:
           stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days."
           stale-pr-message: "This PR is stale because it has been open 45 days with no activity. Remove stale label or comment or this will be closed in 10 days."

README.md

@@ -1,10 +1,5 @@
-> [!WARNING]  
-> This plugin is still in early development and not production ready just yet. Use with caution!
-> You can check the current progress via [Milestone - V1](https://github.com/janbiasi/rollup-plugin-sbom/milestone/1).
-
-[![CI](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml) ![npm](https://img.shields.io/npm/v/rollup-plugin-sbom)
-![npm type definitions](https://img.shields.io/npm/types/rollup-plugin-sbom)
-![npm peer dependency version (scoped)](https://img.shields.io/npm/dependency-version/rollup-plugin-sbom/peer/rollup?logo=rollupdotjs&color=%23EA483F)
+[![CI](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/ci.yml) [![CodeQL](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/janbiasi/rollup-plugin-sbom/actions/workflows/github-code-scanning/codeql) ![npm](https://img.shields.io/npm/v/rollup-plugin-sbom)
+![npm peer dependency version (scoped)](https://img.shields.io/npm/dependency-version/rollup-plugin-sbom/peer/rollup?logo=rollupdotjs&color=%23EA483F) ![img](https://img.shields.io/badge/semver-2.0.0-green?logo=semver) ![npm type definitions](https://img.shields.io/npm/types/rollup-plugin-sbom) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/janbiasi/rollup-plugin-sbom/badge)](https://securityscorecards.dev/viewer/?uri=github.com/janbiasi/rollup-plugin-sbom)
 
 # rollup-plugin-sbom
 

SECURITY.md

@@ -0,0 +1,15 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest minor version of the plugin is supported with security updates. These updates are published as new patch versions. All versioning follows Semantic Versioning. You can find the latest version [released on GitHub](https://github.com/janbiasi/rollup-plugin-sbom/releases) and simultaneously published on NPM.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.x.x   | :x:                |
+| 1.x.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+We really appreciate your help in finding bugs and vulnerabilities in this repository.
+Please report bugs and vulnerabilities using [GitHub Issues](https://github.com/janbiasi/rollup-plugin-sbom/issues).

package.json

@@ -14,6 +14,10 @@
       "types": "./dist/index.d.ts"
     }
   },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "scripts": {
     "lint": "pnpm lint:prettier && pnpm lint:eslint",
     "lint:prettier": "prettier -l .",
@@ -44,6 +48,9 @@
     "cyclonedx"
   ],
   "author": "Jan Biasi (https://github.com/janbiasi)",
+  "contributors": [
+    "Jan Kott (https://github.com/boostvolt)"
+  ],
   "license": "MIT",
   "dependencies": {
     "@cyclonedx/cyclonedx-library": "6.1.0",