feat(openSSF scorecard): introduce CI + badge #472
Conversation
Signed-off-by: Augustin Mauroy <[email protected]>
|
@bjosv Does this seem right to you? |
Co-authored-by: Madelyn Olson <[email protected]>
There was a problem hiding this comment.
@AugustinMauroy Can you add it on your fork's unstable branch so we can see that it works there?
.github/workflows/scorecard.yml
Outdated
| schedule: | ||
| - cron: '25 6 * * 6' | ||
| push: | ||
| branches: [ "main" ] |
There was a problem hiding this comment.
We don't have branch called "main".
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## unstable #472 +/- ##
============================================
+ Coverage 68.90% 69.83% +0.92%
============================================
Files 109 109
Lines 61793 61791 -2
============================================
+ Hits 42579 43150 +571
+ Misses 19214 18641 -573 |
There was a problem hiding this comment.
Nice, but some comments below.
Is this based on a template that I haven't seen, or is taken from https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml ?
| # Needed to publish results and get a badge (see publish_results below). | ||
| id-token: write | ||
| # Uncomment the permissions below if installing in a private repository. | ||
| # contents: read |
There was a problem hiding this comment.
Is this needed? The default permission is read-all already.
| # - Publish results to OpenSSF REST API for easy access by consumers | ||
| # - Allows the repository to include the Scorecard badge. | ||
| # - See https://github.com/ossf/scorecard-action#publishing-results. | ||
| # For private repositories: |
There was a problem hiding this comment.
Maybe we should remove comments about private repos here in the valkey repo?
| # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF | ||
| # format to the repository Actions tab. | ||
| - name: "Upload artifact" | ||
| uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 |
There was a problem hiding this comment.
Ossf's examples uses the latest version of actions/upload-artifact, i.e. v4.3.3.
Any reason for using v3?
There was a problem hiding this comment.
template i had found use v3 so we can update it
| # Upload the results to GitHub's code scanning dashboard (optional). | ||
| # Commenting out will disable upload of results to your repo's Code Scanning dashboard | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 |
Co-authored-by: Björn Svensson <[email protected]>
Adding openSSF scorecard. It's add CI and badge. Also action allow us to have an UI to see what is wrong or good.
Fixes #211