Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

scorecard workflow #156

Merged
merged 1 commit into from
Jul 27, 2023
Merged

scorecard workflow #156

merged 1 commit into from
Jul 27, 2023

Conversation

thepwagner
Copy link
Contributor

@thepwagner thepwagner commented Jul 27, 2023
edited
Loading

Manually creating a workflow to publish an OpenSSF scorecard. We want hansel's users to be assured of our security practices, and scorecards offer us a way to measure and demonstrate.

This uses a shared workflow in https://github.com/Shopify/github-workflows to centralize how the scorecard is created and published, we only provide that workflow with permission to:

  • Clone this repository (contents:read), so it has a local copy of the source to inspect
  • Leverage the Actions OIDC token (id-token: write), so it can publish results to the Scorecards service

We pass an organization-level SCORECARD_TOKEN as an argument, which grants administration:read permissions that aren't available to Actions by default. This allows the scorecard action to inspect branch protection settings of the repository, and include that in the generated results.

Testing instructions

We could remove the branch filter from the push trigger to test this in a branch. The action requires it be run from the default branch. It will first run when the PR is merged (and ideally subsequently as it shames me into improving branch protection settings 😆 ).

@thepwagner
scorecard workflow
11ed835 
Manually creating a workflow to publish an OpenSSF scorecard.
@thepwagner thepwagner requested a review from a team July 27, 2023 13:26
@thepwagner thepwagner self-assigned this Jul 27, 2023
@thepwagner thepwagner requested review from chrisshino and removed request for a team July 27, 2023 13:26
@thepwagner thepwagner mentioned this pull request Jul 27, 2023
Merged
@thepwagner thepwagner merged commit 9426f5d into main Jul 27, 2023
5 checks passed
@thepwagner thepwagner deleted the thepwagner-patch-1 branch July 27, 2023 14:05
This was referenced Jul 27, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dani-santos-code dani-santos-code dani-santos-code approved these changes

@chrisshino chrisshino Awaiting requested review from chrisshino chrisshino is a code owner automatically assigned from Shopify/infrasec

Assignees

@thepwagner thepwagner

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@thepwagner @dani-santos-code