Configure OpenSSF workflow (#2306)

* docs: 📝 update README.md * ci: 🩺 add ossf scorecard workflow * add osv-scanner.toml to example apps (symlink from config) * add osv-scanner.toml to test fixtures * docs: 📝 update README * chore: 🔒 pin dependencies Co-authored-by: Tom Longridge <[email protected]> --------- Co-authored-by: Tom Longridge <[email protected]>
bugsnag · Feb 7, 2025 · ff4ebcd · ff4ebcd
1 parent 15b9f1f
commit ff4ebcd
Show file tree

Hide file tree

Showing 34 changed files with 312 additions and 16 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -42,11 +42,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +60,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -73,6 +73,6 @@ jobs:
     #     ./location_of_script_within_repo/buildscript.sh
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/pr-diff.yml b/.github/workflows/pr-diff.yml
@@ -7,12 +7,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
         with:
           node-version: 18.x
 
       - name: Checkout base branch
-        uses: actions/checkout@v1
+        uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
         with:
           ref: ${{ github.base_ref }}
 
@@ -27,7 +27,7 @@ jobs:
           cat packages/browser/dist/bugsnag.min.js | gzip | wc -c > .diff/size-before-gzipped
 
       - name: Checkout PR branch
-        uses: actions/checkout@v1
+        uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0
         with:
           clean: false
 
@@ -41,6 +41,6 @@ jobs:
           cat packages/browser/dist/bugsnag.min.js | gzip | wc -c > .diff/size-after-gzipped
 
       - name: Run danger
-        uses: danger/[email protected]
+        uses: danger/danger-js@eaab0aa05301018d1a6d2d63ef493109616bb120 # 9.1.6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,73 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: OpenSSF Scorecard
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '0 0 * * 0'
+  push:
+    branches: [ "next" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/signing.yml b/.github/workflows/signing.yml
@@ -23,7 +23,7 @@ jobs:
         run: |
           echo "${{ secrets.PLATFORMS_GPG_KEY_BASE64 }}" | base64 --decode | gpg --batch --import
       - name: Sign assets
-        uses: bugsnag/platforms-release-signer@main
+        uses: bugsnag/platforms-release-signer@4d88944b11e503624f8a511cf6d0fa2901822b60 # main
         with:
           github_token: ${{ secrets.PLATFORMS_SIGNING_GITHUB_TOKEN }}
           full_repository: ${{ github.repository }}

diff --git a/.github/workflows/test-electron.yml b/.github/workflows/test-electron.yml
@@ -13,8 +13,8 @@ jobs:
         os: [ ubuntu-latest ]
 
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
       with:
         node-version: ${{ matrix.node-version }}
     - name: (Act) install build tools and dependencies
@@ -29,7 +29,7 @@ jobs:
       if: ${{ !env.ACT }}
       run: |
         echo "::set-output name=dir::$(npm config get cache)"
-    - uses: actions/cache@v4
+    - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
       id: npm-cache
       if: ${{ !env.ACT }}
       with:
@@ -65,7 +65,7 @@ jobs:
         START_LOCAL_NPM: 1
         VERBOSE: 1
         ELECTRON_VERSION: ${{ matrix.electron }}
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       if: failure()
       with:
         name: cucumber-failures

diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -24,7 +24,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       REVIEWER: gingerbenw
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: next
 
@@ -35,7 +35,7 @@ jobs:
       - run: git fetch --prune --unshallow
 
       - name: Install ruby
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@8711a86ab6f9aa72890da4123b2ef7283b6b22b6 # v1.217.0
         with:
           ruby-version: 2.7
 

diff --git a/README.md b/README.md
@@ -1,4 +1,15 @@
-# Bugsnag error monitoring & reporting for JavaScript
+<div align="center">
+  <a href="https://www.bugsnag.com/platforms/javascript">
+    <picture>
+      <source media="(prefers-color-scheme: dark)" srcset="https://assets.smartbear.com/m/3dab7e6cf880aa2b/original/BugSnag-Repository-Header-Dark.svg">
+      <img alt="SmartBear BugSnag logo" src="https://assets.smartbear.com/m/3945e02cdc983893/original/BugSnag-Repository-Header-Light.svg">
+    </picture>
+  </a>
+  <h1>Error monitoring & reporting for JavaScript</h1>
+</div>
+
+[![Documentation](https://img.shields.io/badge/documentation-latest-blue.svg)](https://docs.bugsnag.com/platforms/javascript/)
+[![Build status](https://badge.buildkite.com/3d7b170ff1190e95999586fb4e2c67edfbe70484a5c0ecfa70.svg)](https://buildkite.com/bugsnag/bugsnag-js)
 
 Automatically detect JavaScript errors in the browser, Node.js and React Native, with plugins for React, Vue, Angular, Express, Restify and Koa. Get cross-platform error detection for handled and unhandled errors with real-time error alerts and detailed diagnostic reports.
 

diff --git a/config/osv-scanner.ignore.toml b/config/osv-scanner.ignore.toml
@@ -0,0 +1,186 @@
+# Ignore all vulnerabilities in example and test apps
+[[IgnoredVulns]]
+id = "GHSA-fwr7-v2mv-hh25"
+
+[[IgnoredVulns]]
+id = "GHSA-qwcr-r2fm-qrc7"
+
+[[IgnoredVulns]]
+id = "GHSA-grv7-fg5c-xmjg"
+
+[[IgnoredVulns]]
+id = "GHSA-pxg6-pf52-xh8x"
+
+[[IgnoredVulns]]
+id = "GHSA-3xgq-45jj-v275"
+
+[[IgnoredVulns]]
+id = "GHSA-rv95-896h-c2vc"
+
+[[IgnoredVulns]]
+id = "GHSA-qw6h-vgh9-j6wx"
+
+[[IgnoredVulns]]
+id = "GHSA-2p57-rm9w-gvfp"
+
+[[IgnoredVulns]]
+id = "GHSA-8cf7-32gw-wr33"
+
+[[IgnoredVulns]]
+id = "GHSA-hjrf-2m68-5959"
+
+[[IgnoredVulns]]
+id = "GHSA-qwph-4952-7xr6"
+
+[[IgnoredVulns]]
+id = "GHSA-5v2h-r2cx-5xgj"
+
+[[IgnoredVulns]]
+id = "GHSA-rrrm-qjm4-v8hf"
+
+[[IgnoredVulns]]
+id = "GHSA-952p-6rrq-rcjv"
+
+[[IgnoredVulns]]
+id = "GHSA-f8q6-p94x-37v3"
+
+[[IgnoredVulns]]
+id = "GHSA-r683-j2x4-v87g"
+
+[[IgnoredVulns]]
+id = "GHSA-9wv6-86v2-598j"
+
+[[IgnoredVulns]]
+id = "GHSA-rhx6-c78j-4q9w"
+
+[[IgnoredVulns]]
+id = "GHSA-hrpp-h998-j3pp"
+
+[[IgnoredVulns]]
+id = "GHSA-7f53-fmmv-mfjv"
+
+[[IgnoredVulns]]
+id = "GHSA-p8p7-x288-28g6"
+
+[[IgnoredVulns]]
+id = "GHSA-c2qf-rxjj-qqgw"
+
+[[IgnoredVulns]]
+id = "GHSA-m6fv-jmcg-4jfg"
+
+[[IgnoredVulns]]
+id = "GHSA-cm22-4g7w-348p"
+
+[[IgnoredVulns]]
+id = "GHSA-72xf-g2v4-qvf3"
+
+[[IgnoredVulns]]
+id = "GHSA-vg6x-rcgg-rjx6"
+
+[[IgnoredVulns]]
+id = "GHSA-c7qv-q95q-8v27"
+
+[[IgnoredVulns]]
+id = "GHSA-35jh-r3h4-6jhm"
+
+[[IgnoredVulns]]
+id = "GHSA-4vvj-4cpr-p986"
+
+[[IgnoredVulns]]
+id = "GHSA-3h5v-q93c-6h6q"
+
+[[IgnoredVulns]]
+id = "GHSA-r95h-9x8f-r3f7"
+
+[[IgnoredVulns]]
+id = "GHSA-vcc3-rw6f-jv97"
+
+[[IgnoredVulns]]
+id = "GHSA-xc9x-jj77-9p9j"
+
+[[IgnoredVulns]]
+id = "GHSA-22f2-v57c-j9cx"
+
+[[IgnoredVulns]]
+id = "GHSA-54rr-7fvw-6x8f"
+
+[[IgnoredVulns]]
+id = "GHSA-xj5v-6v4g-jfw6"
+
+[[IgnoredVulns]]
+id = "GHSA-2rxp-v6pw-ch6m"
+
+[[IgnoredVulns]]
+id = "GHSA-4xqq-m2hx-25v8"
+
+[[IgnoredVulns]]
+id = "GHSA-5866-49gr-22v4"
+
+[[IgnoredVulns]]
+id = "GHSA-r55c-59qm-vjw6"
+
+[[IgnoredVulns]]
+id = "GHSA-vg3r-rm7w-2xgh"
+
+[[IgnoredVulns]]
+id = "GHSA-vmwr-mc7x-5vc3"
+
+[[IgnoredVulns]]
+id = "GHSA-6f62-3596-g6w7"
+
+[[IgnoredVulns]]
+id = "GHSA-rrr8-f88r-h8q6"
+
+[[IgnoredVulns]]
+id = "GHSA-434g-2637-qmqr"
+
+[[IgnoredVulns]]
+id = "GHSA-49q7-c7j4-3p7m"
+
+[[IgnoredVulns]]
+id = "GHSA-977x-g7h5-7qgw"
+
+[[IgnoredVulns]]
+id = "GHSA-f7q4-pwc6-w24p"
+
+[[IgnoredVulns]]
+id = "GHSA-fc9h-whq2-v747"
+
+[[IgnoredVulns]]
+id = "GHSA-cr5q-6q9f-rq6q"
+
+[[IgnoredVulns]]
+id = "GHSA-j6gc-792m-qgm2"
+
+[[IgnoredVulns]]
+id = "GHSA-pj73-v5mw-pm9j"
+
+[[IgnoredVulns]]
+id = "GHSA-7627-mp87-jf6q"
+
+[[IgnoredVulns]]
+id = "GHSA-g397-v4w5-4m79"
+
+[[IgnoredVulns]]
+id = "GHSA-67hx-6x53-jw92"
+
+[[IgnoredVulns]]
+id = "GHSA-c2jc-4fpr-4vhg"
+
+[[IgnoredVulns]]
+id = "GHSA-w573-4hg7-7wgq"
+
+[[IgnoredVulns]]
+id = "GHSA-7mhc-prgv-r3q4"
+
+[[IgnoredVulns]]
+id = "GHSA-78xj-cgh5-2h22"
+
+[[IgnoredVulns]]
+id = "GHSA-9c47-m6qq-7p4h"
+
+[[IgnoredVulns]]
+id = "GHSA-rxrc-rgv4-jpvx"
+
+[[IgnoredVulns]]
+id = "GHSA-j8xg-fqg3-53r7"
diff --git a/examples/electron/electron-basic/osv-scanner.toml b/examples/electron/electron-basic/osv-scanner.toml
@@ -0,0 +1 @@
+../../../config/osv-scanner.ignore.toml