From 3f3b8a9779577f4d5ebe8a0a4de08e8839aa91e7 Mon Sep 17 00:00:00 2001 From: Matt Dainty Date: Tue, 7 Nov 2023 00:08:08 +0000 Subject: [PATCH] ci: Follow OpenSSF best practices --- .github/workflows/build.yml | 21 ++++++++++++++++----- .github/workflows/pr-lint.yml | 9 ++++++--- .github/workflows/release.yml | 5 ++++- .pre-commit-config.yaml | 18 ++++++++++++++++++ LICENSE | 1 - README.md | 2 ++ 6 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4a66d0c..1295145 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,6 +10,9 @@ on: schedule: - cron: 0 0 * * 1 +permissions: + contents: read + jobs: test: name: Build and Test @@ -21,17 +24,22 @@ jobs: - '1.19' - '1.20' + permissions: + checks: write + contents: read + pull-requests: read + steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set up Go - uses: actions/setup-go@v4 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ matrix.go }} - name: golangci-lint - uses: golangci/golangci-lint-action@v3 + uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0 if: github.event_name == 'pull_request' with: only-new-issues: true @@ -40,7 +48,7 @@ jobs: run: go test -v -coverprofile=cover.out ./... - name: Send coverage - uses: shogo82148/actions-goveralls@v1 + uses: shogo82148/actions-goveralls@7b1bd2871942af030d707d6574e5f684f9891fb2 # v1.8.0 with: path-to-profile: cover.out flag-name: Go-${{ matrix.go }} @@ -50,7 +58,10 @@ jobs: needs: test runs-on: ubuntu-latest + permissions: + checks: write + steps: - - uses: shogo82148/actions-goveralls@v1 + - uses: shogo82148/actions-goveralls@7b1bd2871942af030d707d6574e5f684f9891fb2 # v1.8.0 with: parallel-finished: true diff --git a/.github/workflows/pr-lint.yml b/.github/workflows/pr-lint.yml index d6bc667..1ca6813 100644 --- a/.github/workflows/pr-lint.yml +++ b/.github/workflows/pr-lint.yml @@ -7,6 +7,9 @@ on: - edited - synchronize +permissions: + contents: read + jobs: main: name: Validate PR title @@ -16,12 +19,12 @@ jobs: pull-requests: write steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5.2.0 id: lint_pr_title env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: marocchino/sticky-pull-request-comment@v2 + - uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 if: always() && steps.lint_pr_title.outputs.error_message != null with: header: pr-title-lint-error @@ -36,7 +39,7 @@ jobs: ${{ steps.lint_pr_title.outputs.error_message }} ``` - - uses: marocchino/sticky-pull-request-comment@v2 + - uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0 if: steps.lint_pr_title.outputs.error_message == null with: header: pr-title-lint-error diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b835e88..5f46efb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,13 +5,16 @@ on: branches: - main +permissions: + contents: read + jobs: release-please: runs-on: ubuntu-latest steps: - name: Run release-please - uses: google-github-actions/release-please-action@v3 + uses: google-github-actions/release-please-action@db8f2c60ee802b3748b512940dde88eabd7b7e01 # v3.7.13 with: command: manifest token: ${{ secrets.RELEASE_TOKEN }} diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..a75fd41 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,18 @@ +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: end-of-file-fixer + - id: trailing-whitespace + - repo: https://github.com/commitizen-tools/commitizen + rev: v3.5.3 + hooks: + - id: commitizen + - repo: https://github.com/golangci/golangci-lint + rev: v1.54.1 + hooks: + - id: golangci-lint + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.0 + hooks: + - id: gitleaks diff --git a/LICENSE b/LICENSE index 08172a9..5a19a8f 100644 --- a/LICENSE +++ b/LICENSE @@ -27,4 +27,3 @@ SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - diff --git a/README.md b/README.md index cdcf4f8..26159bd 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,5 @@ +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/bodgit/sevenzip/badge)](https://securityscorecards.dev/viewer/?uri=github.com/bodgit/sevenzip) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/6882/badge)](https://www.bestpractices.dev/projects/6882) [![GitHub release](https://img.shields.io/github/v/release/bodgit/sevenzip)](https://github.com/bodgit/sevenzip/releases) [![Build Status](https://img.shields.io/github/actions/workflow/status/bodgit/sevenzip/build.yml?branch=main)](https://github.com/bodgit/sevenzip/actions?query=workflow%3ABuild) [![Coverage Status](https://coveralls.io/repos/github/bodgit/sevenzip/badge.svg?branch=master)](https://coveralls.io/github/bodgit/sevenzip?branch=master)