Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancement: Update the GH Actions #817

Merged
merged 6 commits into from
Nov 27, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/workflows/README.rst
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
Vega Strike Git Hub Actions Guidance
====================================

VS will allow many actions that are beneficial to the project.
We also apply the OSSF Score Card to our projects.

To help with reliability of the GH Actions they should be tagged
against the associated release SHA Hash instead of Git Tag.

References
----------
- https://blog.rafaelgss.dev/why-you-should-pin-actions-by-commit-hash
16 changes: 13 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -21,20 +21,30 @@ jobs:

steps:
- name: Check out repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
with:
fetch-depth: 2

- name: Download benchmark bundle
env:
GH_TOKEN: ${{ github.token }}
# download the latest version
run: |
gh release download -R github/codeql-action --pattern 'codeql-bundle.tar.gz'
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can specify a tag to lock to a version or leave out the tag and always get the latest release.
It's not clear from the command-line docs if gh release download will work with the SHA hashes of the release so skipping that and just letting it use the latest release.


# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5
uses: github/codeql-action/init@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
with:
languages: ${{ matrix.language }}
tools: codeql-bundle.tar.gz

- name: Bootstrap and Build the Code
run: |
sudo script/bootstrap
script/build

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@0225834cc549ee0ca93cb085b92954821a145866 #v2.3.5
uses: github/codeql-action/analyze@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
with:
tools: codeql-bundle.tar.gz
5 changes: 2 additions & 3 deletions .github/workflows/fortify-on-demand-scan.yml
Original file line number Diff line number Diff line change
@@ -16,12 +16,11 @@ jobs:
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 #v3.5.3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1

- name: Fortify on Demand Scan
# You may pin to the exact commit or the version.
# uses: fortify/gha-setup-fod-uploader@636f3c3a14aec1747eec5242a02c6349e4f3cce6
uses: fortify/gha-setup-fod-uploader@v1.0.1
uses: fortify/gha-setup-fod-uploader@16e5036c084b26cee63cb0c38cfc2101cc9fd13d #v1.1.3
with:
# FoDUploader version to use
version: latest
17 changes: 13 additions & 4 deletions .github/workflows/scorecards-analysis.yml
Original file line number Diff line number Diff line change
@@ -19,15 +19,23 @@ jobs:
security-events: write
actions: read
contents: read
id-token: write

steps:
- name: "Check out code"
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab #v3.5.2
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
with:
persist-credentials: false

- name: Download benchmark bundle
env:
GH_TOKEN: ${{ github.token }}
# download the latest version
run: |
gh release download -R github/codeql-action --pattern 'codeql-bundle.tar.gz'

- name: "Run analysis"
uses: ossf/scorecard-action@e3e75cf2ffbf9364bbff86cdbdf52b23176fe492 # v1.0.1
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 #v2.3.1
with:
results_file: results.sarif
results_format: sarif
@@ -42,14 +50,15 @@ jobs:

# Upload the results as artifacts (optional).
- name: "Upload artifact"
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce #v3.1.2
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26
uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 #v2.15.3
with:
sarif_file: results.sarif
tools: codeql-bundle.tar.gz
Loading