Merge pull request #817 from BenjamenMeyer/bugfix_ossf_scorecard

Enhancement: Update the GH Actions
vegastrike · Nov 27, 2023 · 7d9b6ed · 7d9b6ed
2 parents 6b5262e + 6fea6a8
commit 7d9b6ed
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 10 deletions.
diff --git a/.github/workflows/README.rst b/.github/workflows/README.rst
@@ -0,0 +1,12 @@
+Vega Strike Git Hub Actions Guidance
+====================================
+
+VS will allow many actions that are beneficial to the project.
+We also apply the OSSF Score Card to our projects.
+
+To help with reliability of the GH Actions they should be tagged
+against the associated release SHA Hash instead of Git Tag.
+
+References
+----------
+- https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -21,20 +21,30 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           fetch-depth: 2
 
+      - name: Download benchmark bundle
+        env:
+           GH_TOKEN: ${{ github.token }}
+        # download the latest version
+        run: |
+           gh release download -R github/codeql-action --pattern 'codeql-bundle.tar.gz'
+
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5
+        uses: github/codeql-action/init@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
         with:
           languages: ${{ matrix.language }}
+          tools: codeql-bundle.tar.gz
 
       - name: Bootstrap and Build the Code
         run: |
           sudo script/bootstrap
           script/build
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5
+        uses: github/codeql-action/analyze@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
+        with:
+          tools: codeql-bundle.tar.gz
diff --git a/.github/workflows/fortify-on-demand-scan.yml b/.github/workflows/fortify-on-demand-scan.yml
@@ -16,12 +16,11 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
 
       - name: Fortify on Demand Scan
         # You may pin to the exact commit or the version.
-        # uses: fortify/gha-setup-fod-uploader@636f3c3a14aec1747eec5242a02c6349e4f3cce6
-        uses: fortify/[email protected]
+        uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d #v1.1.3
         with:
           # FoDUploader version to use
           version: latest
diff --git a/.github/workflows/scorecards-analysis.yml b/.github/workflows/scorecards-analysis.yml
@@ -19,15 +19,23 @@ jobs:
       security-events: write
       actions: read
       contents: read
+      id-token: write
 
     steps:
       - name: "Check out code"
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
         with:
           persist-credentials: false
 
+      - name: Download benchmark bundle
+        env:
+           GH_TOKEN: ${{ github.token }}
+        # download the latest version
+        run: |
+           gh release download -R github/codeql-action --pattern 'codeql-bundle.tar.gz'
+
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,14 +50,15 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
+        uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
         with:
           sarif_file: results.sarif
+          tools: codeql-bundle.tar.gz