From b7e74b5686d81917820dcdc303fc0d11ec42a363 Mon Sep 17 00:00:00 2001
From: Matthieu MOREL <matthieu.morel35@gmail.com>
Date: Thu, 22 Aug 2024 11:40:30 +0200
Subject: [PATCH] Setup scorecard workflow

Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>
---
 .github/workflows/commands.yml  |  7 ++--
 .github/workflows/scorecard.yml | 37 ++++++++++++++++++
 .github/workflows/test.yaml     | 67 +++++++++++++++++----------------
 .yamllint => .yamllint.yaml     |  1 +
 README.md                       |  3 ++
 5 files changed, 79 insertions(+), 36 deletions(-)
 create mode 100644 .github/workflows/scorecard.yml
 rename .yamllint => .yamllint.yaml (85%)

diff --git a/.github/workflows/commands.yml b/.github/workflows/commands.yml
index f16ee679..d14ed5de 100644
--- a/.github/workflows/commands.yml
+++ b/.github/workflows/commands.yml
@@ -1,16 +1,15 @@
 name: commands
 on:
   issue_comment:
-    types: [created]
-
+    types:
+      - created
 jobs:
   retest:
     if: github.repository == 'containernetworking/cni'
     runs-on: ubuntu-latest
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
-
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Re-Test Action
         uses: ./.github/actions/retest-action
         with:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
new file mode 100644
index 00000000..03047fe5
--- /dev/null
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,37 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  push:
+    branches:
+      - main
+  schedule:
+    - cron: 29 15 * * 0
+permissions: read-all
+jobs:
+  analysis:
+    name: Scorecard analysis
+    permissions:
+      id-token: write
+      security-events: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # v4.1.1
+        with:
+          persist-credentials: false
+      - name: Run analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736  # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: Upload artifact
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db  # v3.pre.node20
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@f0f3afee809481da311ca3a6ff1ff51d81dbeb24  # v3.26.4
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
index 5de61efe..5d51b29d 100644
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -1,40 +1,25 @@
----
 name: test
 
-on: ["push", "pull_request"]
+on:
+  - push
+  - pull_request
 
 env:
-  GO_VERSION: "1.22"
-  LINUX_ARCHES: "amd64 386 arm arm64 s390x mips64le ppc64le"
+  GO_VERSION: '1.22'
+  LINUX_ARCHES: amd64 386 arm arm64 s390x mips64le ppc64le
 
 jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: setup go
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
-      - uses: ibiqlik/action-yamllint@v3
-        with:
-          format: auto
-      - uses: golangci/golangci-lint-action@v6
-        with:
-          args: --verbose
-          version: v1.57.1
+
   build:
     name: Build all linux architectures
     needs: lint
     runs-on: ubuntu-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
-
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: Build on all supported architectures
         run: |
           set -e
@@ -43,28 +28,46 @@ jobs:
             GOARCH=$arch go build ./...
           done
 
+  lint:
+    name: Lint
+    permissions:
+      contents: read
+      pull-requests: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: setup go
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+      - uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c  # v3.1.1
+        with:
+          format: auto
+          config_file: .yamllint.yaml
+      - uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86  # v6.1.0
+        with:
+          args: --verbose
+          version: v1.57.1
+
   test-linux:
     name: Run tests on Linux amd64
     needs: build
     runs-on: ubuntu-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
-
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: Install test binaries
         run: |
           go install github.com/mattn/goveralls@v0.0.12
           go install github.com/modocache/gover@latest
-
       - name: test
         run: COVERALLS=1 ./test.sh
-
-      - name: Send coverage to coveralls
-        env:
+      - env:
           COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        name: Send coverage to coveralls
         run: |
           PATH=$PATH:$(go env GOPATH)/bin
           gover
@@ -76,9 +79,9 @@ jobs:
     runs-on: windows-latest
     steps:
       - name: setup go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32  # v5.0.2
         with:
           go-version: ${{ env.GO_VERSION }}
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
       - name: test
         run: bash ./test.sh
diff --git a/.yamllint b/.yamllint.yaml
similarity index 85%
rename from .yamllint
rename to .yamllint.yaml
index 579bc221..802e8c8b 100644
--- a/.yamllint
+++ b/.yamllint.yaml
@@ -3,6 +3,7 @@ extends: default
 
 rules:
   document-start: disable
+  line-length: disable
   truthy:
     ignore: |
       .github/workflows/*.yml
diff --git a/README.md b/README.md
index 1ad32e24..7b0c2148 100644
--- a/README.md
+++ b/README.md
@@ -4,6 +4,9 @@
 
 # CNI - the Container Network Interface
 
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/2446/badge)](https://bestpractices.coreinfrastructure.org/projects/2446)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/containernetworking/cni/badge)](https://securityscorecards.dev/viewer/?uri=github.com/containernetworking/cni)
+
 ## What is CNI?
 
 CNI (_Container Network Interface_), a [Cloud Native Computing Foundation](https://cncf.io) project, consists of a specification and libraries for writing plugins to configure network interfaces in Linux containers, along with a number of supported plugins.