mirror of
https://github.com/flutter/flutter
synced 2024-10-12 19:23:02 +00:00
96a2c05358
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's releases</a>.</em></p> <blockquote> <h2>v2.2.0</h2> <h2>What's Changed</h2> <ul> <li>🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by <a href="https://github.com/spencerschrock"><code>@âspencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1192">ossf/scorecard-action#1192</a></li> </ul> <h2>Scorecard Result Viewer</h2> <p>Thanks to contributions from <a href="https://github.com/cynthia-sg"><code>@âcynthia-sg</code></a> and <a href="https://github.com/tegioz"><code>@âtegioz</code></a> at <a href="https://github.com/cncf/clomonitor">CLOMonitor</a>, there is a new Scorecard Result visualization page at <code>https://securityscorecards.dev/viewer/?uri=<project-url></code>.</p> <ul> <li><a href="https://redirect.github.com/ossf/scorecard-webapp/pull/406">ossf/scorecard-webapp#406</a></li> <li><a href="https://redirect.github.com/ossf/scorecard-webapp/pull/422">ossf/scorecard-webapp#422</a></li> </ul> <p>As an example, you can see our own score visualized <a href="https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard">here</a> Checkout our <a href="08b4669551/README.md (scorecard-badge)
">README</a> to learn how to link your README badge to the new visualization page.</p> <h2>Publishing Results</h2> <p>This release contains two fixes which will improve the user experience when <code>publish_results</code> is <code>true</code></p> <ul> <li>Runs that fail our <a href="08b4669551/README.md (workflow-restrictions)
">workflow restrictions</a> will fail with a 400 response indicating the problem, instead of a vague 500 status. (<a href="https://redirect.github.com/ossf/scorecard-action/pull/1156">ossf/scorecard-action#1156</a>, resolved <a href="https://redirect.github.com/ossf/scorecard-action/issues/1150">ossf/scorecard-action#1150</a>)</li> <li>Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (<a href="https://redirect.github.com/ossf/scorecard-action/pull/1191">ossf/scorecard-action#1191</a>)</li> </ul> <h2>Docs</h2> <ul> <li>ð Update README to accept fine-grained tokens by <a href="https://github.com/pnacht"><code>@âpnacht</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1175">ossf/scorecard-action#1175</a></li> <li>ð Update installation instructions to match current GitHub UI by <a href="https://github.com/joycebrum"><code>@âjoycebrum</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1153">ossf/scorecard-action#1153</a></li> <li>ð Document the GitHub action workflow restrictions when publishing results. by <a href="https://github.com/spencerschrock"><code>@âspencerschrock</code></a> in</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/bobcallaway"><code>@âbobcallaway</code></a> made their first contribution in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1140">ossf/scorecard-action#1140</a></li> <li><a href="https://github.com/pnacht"><code>@âpnacht</code></a> made their first contribution in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1175">ossf/scorecard-action#1175</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0">https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="08b4669551
"><code>08b4669</code></a> 🌱 Bump docker tag to for v2.2.0 release. (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1194">#1194</a>)</li> <li><a href="3c7470f58c
"><code>3c7470f</code></a> 📖 Update README badge link to use new uri param. (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1185">#1185</a>)</li> <li><a href="a164dbc12a
"><code>a164dbc</code></a> 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1192">#1192</a>)</li> <li><a href="597960e1d9
"><code>597960e</code></a> 📖 Update README to accept fine-grained tokens (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1175">#1175</a>)</li> <li><a href="8808ed28c3
"><code>8808ed2</code></a> 🌱 Retry external network calls when publishing results (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1191">#1191</a>)</li> <li><a href="0eed6cb5da
"><code>0eed6cb</code></a> 🌱 Bump golang.org/x/net from 0.10.0 to 0.11.0</li> <li><a href="6c6335c126
"><code>6c6335c</code></a> 🌱 Bump github/codeql-action from 2.3.6 to 2.20.0</li> <li><a href="7f1baf380a
"><code>7f1baf3</code></a> 📖 Switch recommended badge link to the new viewer. (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1176">#1176</a>)</li> <li><a href="df98bbc13d
"><code>df98bbc</code></a> 🌱 Bump actions/checkout from 3.5.2 to 3.5.3</li> <li><a href="75886d414a
"><code>75886d4</code></a> 🌱 Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1172">#1172</a>)</li> <li>Additional commits viewable in <a href="80e868c13c...08b4669551
">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.1.3&new-version=2.2.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>
57 lines
1.9 KiB
YAML
57 lines
1.9 KiB
YAML
name: Scorecards supply-chain security
|
|
on:
|
|
# Only the default branch is supported.
|
|
branch_protection_rule:
|
|
push:
|
|
branches: [ master ]
|
|
|
|
# Declare default permissions as read only.
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
analysis:
|
|
name: Scorecards analysis
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.repository == 'flutter/flutter' }}
|
|
permissions:
|
|
# Needed to upload the results to code-scanning dashboard.
|
|
security-events: write
|
|
actions: read
|
|
contents: read
|
|
# Needed to access OIDC token.
|
|
id-token: write
|
|
|
|
steps:
|
|
- name: "Checkout code"
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: "Run analysis"
|
|
uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031
|
|
with:
|
|
results_file: results.sarif
|
|
results_format: sarif
|
|
# Read-only PAT token. To create it,
|
|
# follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
|
|
repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
|
|
# Publish the results to enable scorecard badges. For more details, see
|
|
# https://github.com/ossf/scorecard-action#publishing-results.
|
|
# For private repositories, `publish_results` will automatically be set to `false`,
|
|
# regardless of the value entered here.
|
|
publish_results: true
|
|
|
|
# Upload the results as artifacts (optional).
|
|
- name: "Upload artifact"
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
|
|
with:
|
|
name: SARIF file
|
|
path: results.sarif
|
|
retention-days: 5
|
|
|
|
# Upload the results to GitHub's code scanning dashboard.
|
|
- name: "Upload to code-scanning"
|
|
uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b
|
|
with:
|
|
sarif_file: results.sarif
|