From dfa35352faf796483fde54c03082a1074d16739e Mon Sep 17 00:00:00 2001 From: Heba Elayoty Date: Mon, 25 Mar 2024 14:05:29 -0700 Subject: [PATCH 1/3] Apply security best practices Signed-off-by: Heba Elayoty --- .github/dependabot.yml | 40 +++++++++++ .github/workflows/codeql.yml | 9 ++- .github/workflows/create-release.yml | 4 +- .github/workflows/dependency-review.yml | 27 ++++++++ .github/workflows/e2e-preset-test.yml | 11 ++- .github/workflows/helm-chart.yml | 7 +- .github/workflows/lint-go.yml | 5 +- .github/workflows/markdown-link-check.yml | 20 ++++-- .github/workflows/pr-title-lint.yml | 7 +- .github/workflows/preset-image-build.yml | 16 ++++- .github/workflows/publish-gh-image.yml | 7 +- .github/workflows/scorecards.yml | 76 +++++++++++++++++++++ .github/workflows/tests.yml | 18 ++--- .pre-commit-config.yaml | 22 ++++++ docker/kaito/Dockerfile | 2 +- docker/presets/inference/llama-2/Dockerfile | 2 +- docker/presets/inference/tfs/Dockerfile | 2 +- docker/presets/tuning/Dockerfile | 2 +- 18 files changed, 245 insertions(+), 32 deletions(-) create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecards.yml create mode 100644 .pre-commit-config.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 600a98c2a..9092679b7 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,3 +6,43 @@ updates: interval: "weekly" commit-message: prefix: "chore" + + - package-ecosystem: docker + directory: /docker/kaito + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/inference/llama-2 + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/inference/tfs-onnx + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/inference/tfs + schedule: + interval: daily + + - package-ecosystem: docker + directory: /docker/presets/tuning + schedule: + interval: daily + + - package-ecosystem: gomod + directory: / + schedule: + interval: daily + + - package-ecosystem: pip + directory: /presets/inference/text-generation + schedule: + interval: daily + + - package-ecosystem: pip + directory: /presets/tuning/tfs + schedule: + interval: daily diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 1651267c0..9343379b8 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -7,6 +7,9 @@ on: schedule: - cron: "0 7 * * 1" # Mondays at 7:00 AM +permissions: + contents: read + jobs: analyze: name: Analyze @@ -17,6 +20,11 @@ jobs: actions: read steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -33,4 +41,3 @@ jobs: - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@cdcdbb579706841c47f7063dda365e292e5cad7a - diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml index 94ab2953b..95f6b98b4 100644 --- a/.github/workflows/create-release.yml +++ b/.github/workflows/create-release.yml @@ -21,7 +21,7 @@ jobs: egress-policy: audit - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} @@ -33,7 +33,7 @@ jobs: ref: ${{ github.event.client_payload.tag }} - name: Goreleaser - uses: goreleaser/goreleaser-action@v5 + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest args: release --rm-dist --timeout 60m --debug diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 000000000..3f3456223 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: 'Checkout Repository' + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@0efb1d1d84fc9633afcdaad14c485cbbc90ef46c # v2.5.1 diff --git a/.github/workflows/e2e-preset-test.yml b/.github/workflows/e2e-preset-test.yml index cdd7e5746..6e7367673 100644 --- a/.github/workflows/e2e-preset-test.yml +++ b/.github/workflows/e2e-preset-test.yml @@ -36,11 +36,16 @@ jobs: is_matrix_empty: ${{ steps.check_matrix_empty.outputs.is_empty }} full_matrix: ${{ steps.images.outputs.full_matrix }} steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: - submodules: true - fetch-depth: 0 + submodules: true + fetch-depth: 0 # This script should output a JSON array of model names - name: Determine Affected Models diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml index 2df542691..05e06123e 100644 --- a/.github/workflows/helm-chart.yml +++ b/.github/workflows/helm-chart.yml @@ -16,6 +16,11 @@ jobs: publish-helm: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -24,7 +29,7 @@ jobs: ref: ${{ github.event.client_payload.tag }} - name: Publish Workspace Helm chart - uses: stefanprodan/helm-gh-pages@v1.7.0 + uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0 with: token: ${{ secrets.GITHUB_TOKEN }} charts_dir: charts/kaito diff --git a/.github/workflows/lint-go.yml b/.github/workflows/lint-go.yml index 5c523f766..3170149c7 100644 --- a/.github/workflows/lint-go.yml +++ b/.github/workflows/lint-go.yml @@ -15,6 +15,9 @@ on: env: GO_VERSION: '1.22' +permissions: + contents: read + jobs: build: runs-on: ubuntu-latest @@ -32,7 +35,7 @@ jobs: fetch-depth: 0 - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} diff --git a/.github/workflows/markdown-link-check.yml b/.github/workflows/markdown-link-check.yml index 00e6c44f7..2fb144a3e 100644 --- a/.github/workflows/markdown-link-check.yml +++ b/.github/workflows/markdown-link-check.yml @@ -3,18 +3,26 @@ name: markdown link on: pull_request: paths: - - '**.md' - - 'docs/**' + - "**.md" + - "docs/**" + +permissions: + contents: read jobs: markdown-link-check: runs-on: ubuntu-latest steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - uses: gaurav-nelson/github-action-markdown-link-check@5c5dfc0ac2e225883c0e5f03a85311ec2830d368 # v1 with: # this will only show errors in the output - use-quiet-mode: 'yes' + use-quiet-mode: "yes" # this will show detailed HTTP status for checked links - use-verbose-mode: 'yes' - config-file: '.github/markdown.links.config.json' + use-verbose-mode: "yes" + config-file: ".github/markdown.links.config.json" diff --git a/.github/workflows/pr-title-lint.yml b/.github/workflows/pr-title-lint.yml index 160227fe1..397663dac 100644 --- a/.github/workflows/pr-title-lint.yml +++ b/.github/workflows/pr-title-lint.yml @@ -12,7 +12,12 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: thehanimo/pr-title-checker@v1.4.2 + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - uses: thehanimo/pr-title-checker@1d8cd483a2b73118406a187f54dca8a9415f1375 # v1.4.2 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} pass_on_octokit_error: true diff --git a/.github/workflows/preset-image-build.yml b/.github/workflows/preset-image-build.yml index e0fb52696..85da26fff 100644 --- a/.github/workflows/preset-image-build.yml +++ b/.github/workflows/preset-image-build.yml @@ -39,9 +39,14 @@ jobs: outputs: matrix: ${{ steps.affected_models.outputs.matrix }} is_matrix_empty: ${{ steps.check_matrix_empty.outputs.is_empty }} - steps: + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 @@ -81,8 +86,13 @@ jobs: model: ${{fromJson(needs.determine-models.outputs.matrix)}} max-parallel: 3 steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: submodules: true fetch-depth: 0 diff --git a/.github/workflows/publish-gh-image.yml b/.github/workflows/publish-gh-image.yml index 5b47a50b8..618e4b618 100644 --- a/.github/workflows/publish-gh-image.yml +++ b/.github/workflows/publish-gh-image.yml @@ -32,8 +32,13 @@ jobs: run: | echo "tag=$(echo ${{ github.event.inputs.release_version }})" >> $GITHUB_OUTPUT + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml new file mode 100644 index 000000000..b4c4e07e0 --- /dev/null +++ b/.github/workflows/scorecards.yml @@ -0,0 +1,76 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '20 7 * * 2' + push: + branches: ["main"] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + contents: read + actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecards on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@a82bad71823183e5b120ab52d521460ecb0585fe # v2.24.9 + with: + sarif_file: results.sarif diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3afaa2ff9..46eedd3ec 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -1,27 +1,27 @@ name: unit-tests concurrency: - group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} cancel-in-progress: true on: push: branches: [main] - paths-ignore: ['docs/**', '**.md', '**.mdx', '**.png', '**.jpg'] + paths-ignore: ["docs/**", "**.md", "**.mdx", "**.png", "**.jpg"] pull_request: branches: [main, release-**] - paths-ignore: ['docs/**', '**.md', '**.mdx', '**.png', '**.jpg'] + paths-ignore: ["docs/**", "**.md", "**.mdx", "**.png", "**.jpg"] permissions: contents: read packages: write - + env: - GO_VERSION: '1.22' + GO_VERSION: "1.22" jobs: unit-tests: - runs-on: ubuntu-latest + runs-on: ubuntu-latest environment: unit-tests steps: - name: Harden Runner @@ -35,8 +35,8 @@ jobs: submodules: true fetch-depth: 0 - - name: Set up Go ${{ env.GO_VERSION }} - uses: actions/setup-go@v5 + - name: Set up Go ${{ env.GO_VERSION }} + uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: ${{ env.GO_VERSION }} @@ -49,7 +49,7 @@ jobs: make inference-api-e2e - name: Upload Codecov report - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@54bcd8715eee62d40e33596ef5e8f0f48dbbccab # v4.1.0 with: ## Comma-separated list of files to upload files: ./coverage.txt diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 000000000..467d0e0e5 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,22 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/golangci/golangci-lint + rev: v1.52.2 + hooks: + - id: golangci-lint + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace + - repo: https://github.com/pylint-dev/pylint + rev: v2.17.2 + hooks: + - id: pylint diff --git a/docker/kaito/Dockerfile b/docker/kaito/Dockerfile index 19a0fd30c..5970adc43 100644 --- a/docker/kaito/Dockerfile +++ b/docker/kaito/Dockerfile @@ -32,7 +32,7 @@ RUN --mount=type=cache,target=${GOCACHE} \ # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM --platform=$BUILDPLATFORM gcr.io/distroless/static:nonroot +FROM --platform=$BUILDPLATFORM gcr.io/distroless/static:nonroot@sha256:55c636171053dbc8ae07a280023bd787d2921f10e569f3e319f1539076dbba11 WORKDIR / COPY --from=builder /workspace/manager . USER 65532:65532 diff --git a/docker/presets/inference/llama-2/Dockerfile b/docker/presets/inference/llama-2/Dockerfile index 285cb122a..822119736 100644 --- a/docker/presets/inference/llama-2/Dockerfile +++ b/docker/presets/inference/llama-2/Dockerfile @@ -4,7 +4,7 @@ # --build-arg VERSION={{VERSION}} \ # --build-arg MODEL_TYPE={{MODEL_TYPE}} \ -FROM python:3.8-slim +FROM python:3.8-slim@sha256:95bfecec648356cdd0b28c8b00ce00009baff10c99d1126a82d1aca716453a1a WORKDIR /workspace # Install git diff --git a/docker/presets/inference/tfs/Dockerfile b/docker/presets/inference/tfs/Dockerfile index 5a322b8bd..e34309cb3 100644 --- a/docker/presets/inference/tfs/Dockerfile +++ b/docker/presets/inference/tfs/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.10-slim@sha256:684b1aaf96a7942b3c3af438d162e0baa3510aa7af25ad76d238e0c746bdec79 ARG WEIGHTS_PATH ARG MODEL_TYPE diff --git a/docker/presets/tuning/Dockerfile b/docker/presets/tuning/Dockerfile index 896deb85a..5a9a2d624 100644 --- a/docker/presets/tuning/Dockerfile +++ b/docker/presets/tuning/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.10-slim@sha256:684b1aaf96a7942b3c3af438d162e0baa3510aa7af25ad76d238e0c746bdec79 ARG WEIGHTS_PATH ARG MODEL_TYPE From 6fe6c257dcdfc79034739ce82eb00dc3b77983be Mon Sep 17 00:00:00 2001 From: Heba Elayoty Date: Wed, 1 May 2024 14:28:09 -0700 Subject: [PATCH 2/3] Remove Harden runner action from preset workflows Signed-off-by: Heba Elayoty --- .github/workflows/e2e-preset-test.yml | 5 ----- .github/workflows/preset-image-build.yml | 10 ---------- 2 files changed, 15 deletions(-) diff --git a/.github/workflows/e2e-preset-test.yml b/.github/workflows/e2e-preset-test.yml index 6e7367673..0cb8c302d 100644 --- a/.github/workflows/e2e-preset-test.yml +++ b/.github/workflows/e2e-preset-test.yml @@ -36,11 +36,6 @@ jobs: is_matrix_empty: ${{ steps.check_matrix_empty.outputs.is_empty }} full_matrix: ${{ steps.images.outputs.full_matrix }} steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: diff --git a/.github/workflows/preset-image-build.yml b/.github/workflows/preset-image-build.yml index 85da26fff..32bdb7145 100644 --- a/.github/workflows/preset-image-build.yml +++ b/.github/workflows/preset-image-build.yml @@ -40,11 +40,6 @@ jobs: matrix: ${{ steps.affected_models.outputs.matrix }} is_matrix_empty: ${{ steps.check_matrix_empty.outputs.is_empty }} steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: @@ -86,11 +81,6 @@ jobs: model: ${{fromJson(needs.determine-models.outputs.matrix)}} max-parallel: 3 steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - name: Checkout uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: From 1025201b509fd33d5e0472d0289b428a61ef6469 Mon Sep 17 00:00:00 2001 From: Heba Elayoty Date: Thu, 2 May 2024 20:22:09 -0700 Subject: [PATCH 3/3] Remove scorecard pipeline Signed-off-by: Heba Elayoty --- .github/workflows/scorecards.yml | 76 -------------------------------- 1 file changed, 76 deletions(-) delete mode 100644 .github/workflows/scorecards.yml diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml deleted file mode 100644 index b4c4e07e0..000000000 --- a/.github/workflows/scorecards.yml +++ /dev/null @@ -1,76 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. They are provided -# by a third-party and are governed by separate terms of service, privacy -# policy, and support documentation. - -name: Scorecard supply-chain security -on: - # For Branch-Protection check. Only the default branch is supported. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection - branch_protection_rule: - # To guarantee Maintained check is occasionally updated. See - # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained - schedule: - - cron: '20 7 * * 2' - push: - branches: ["main"] - -# Declare default permissions as read only. -permissions: read-all - -jobs: - analysis: - name: Scorecard analysis - runs-on: ubuntu-latest - permissions: - # Needed to upload the results to code-scanning dashboard. - security-events: write - # Needed to publish results and get a badge (see publish_results below). - id-token: write - contents: read - actions: read - - steps: - - name: Harden Runner - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 - with: - egress-policy: audit - - - name: "Checkout code" - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - persist-credentials: false - - - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 - with: - results_file: results.sarif - results_format: sarif - # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: - # - you want to enable the Branch-Protection check on a *public* repository, or - # - you are installing Scorecards on a *private* repository - # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. - # repo_token: ${{ secrets.SCORECARD_TOKEN }} - - # Public repositories: - # - Publish results to OpenSSF REST API for easy access by consumers - # - Allows the repository to include the Scorecard badge. - # - See https://github.com/ossf/scorecard-action#publishing-results. - # For private repositories: - # - `publish_results` will always be set to `false`, regardless - # of the value entered here. - publish_results: true - - # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF - # format to the repository Actions tab. - - name: "Upload artifact" - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - with: - name: SARIF file - path: results.sarif - retention-days: 5 - - # Upload the results to GitHub's code scanning dashboard. - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@a82bad71823183e5b120ab52d521460ecb0585fe # v2.24.9 - with: - sarif_file: results.sarif