This repository has been archived by the owner on Aug 25, 2024. It is now read-only.
ossf scorecard best practices #374
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Pin: Downstream: 2nd party" | |
# TODO 3rd party will be based off ActivityPub | |
# - References | |
# - RFCv5.1: IETF SCITT: Use Case: Attestations of alignment to S2C2F and org Overlays: https://github.com/ietf-scitt/use-cases/blob/a832905e3c428fd54b1c08d4851801383eac91a6/openssf_metrics.md#use-case-attestations-of-alignment-to-s2c2f-and-org-overlays | |
on: | |
pull_request_target: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
permissions: | |
contents: read | |
jobs: | |
manifest: | |
runs-on: ubuntu-latest | |
# Disabled currently | |
if: false | |
outputs: | |
length: ${{ steps.create-manifest-instance.outputs.length }} | |
manifest: ${{ steps.create-manifest-instance.outputs.github_actions_manifest }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Set up Python | |
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 | |
with: | |
python-version: "3.11" | |
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 | |
- name: Build manifest from plugins.json from pull request | |
id: create-manifest-instance | |
env: | |
PLUGINS_JSON: "dffml/plugins.json" | |
SCHEMA: "TODO-dffml-2ndparty-pin" | |
JSON_INDENT: " " | |
shell: python -u {0} | |
run: | | |
import os | |
import json | |
import pathlib | |
plugins = json.loads(pathlib.Path(os.environ["PLUGINS_JSON"]).read_text()) | |
manifest = plugins["plugins"]["parties"]["2nd"] | |
# SECURITY Allowlist of 2nd party orgs to pin | |
for downstream in manifest: | |
if not downstream["source_url"].startswith("https://github.com/dffml/"): | |
raise ValueError(f"source_url not in allowed org: {downstream!r}") | |
github_actions_manifest = { | |
"include": manifest, | |
} | |
json_ld_manifest = { | |
"@context": { | |
"@vocab": os.environ["SCHEMA"], | |
}, | |
**github_actions_manifest, | |
} | |
print(json.dumps(json_ld_manifest, sort_keys=True, indent=os.environ.get("JSON_INDENT", None))) | |
if "GITHUB_OUTPUT" in os.environ: | |
with open(os.environ["GITHUB_OUTPUT"], "a") as fileobj: | |
fileobj.write(f'length={len(manifest)}\n') | |
fileobj.write(f"manifest={json.dumps(manifest, sort_keys=True)}\n") | |
fileobj.write(f'github_actions_manifest={json.dumps(github_actions_manifest, sort_keys=True)}\n') | |
fileobj.write(f'json_ld_manifest={json.dumps(json_ld_manifest, sort_keys=True)}\n') | |
pin_downstream_pep_440: | |
permissions: | |
contents: write # for Git to git push | |
name: "Pin downstream to latest commit" | |
runs-on: ubuntu-latest | |
# Disabled currently | |
if: false | |
env: | |
PIN_PULL_REQUEST_EMAIL: '[email protected]' | |
PIN_PULL_REQUEST_NAME: 'Alice Alchemy' | |
GH_ACCESS_TOKEN: ${{ secrets.PIN_DOWNSTREAM_2ND_PARTY_GH_ACCESS_TOKEN }} | |
PIN_TO_COMMIT: ${{ github.event.after || github.event.pull_request.head.sha }} | |
UPSTREAM_PACKAGE_NAME: 'dffml' | |
BUMP_DEP: "dffml @ https://github.com/intel/dffml/archive/" | |
needs: | |
- manifest | |
strategy: | |
fail-fast: false | |
max-parallel: 100 | |
matrix: ${{ fromJSON(needs.manifest.outputs.manifest) }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1 | |
with: | |
egress-policy: audit | |
- name: Checkout downstream | |
env: | |
# TODO Pull requests on pull requests, probably from renovate/dependabot | |
# https://github.com/intel/dffml/pull/1061#pullrequestreview-1281885921 | |
TARGET_REPO_URL: ${{ matrix.source_url }} | |
TARGET_BRANCH: ${{ matrix.branch }} | |
TARGET_COMMIT: ${{ matrix.branch }} | |
run: | | |
set -x | |
git init | |
git remote add origin "${TARGET_REPO_URL}" | |
git fetch origin "${TARGET_BRANCH}" --depth 1 | |
git fetch origin "${TARGET_COMMIT}" --depth 1 | |
git reset --hard "origin/${TARGET_COMMIT}" | |
- name: Find repo local dependent files | |
id: repo-local-downstream | |
run: | | |
set -x | |
get_files() { | |
git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq | |
} | |
echo files_length=$(get_files | wc -l) >> $GITHUB_OUTPUT | |
- name: Update pinning of upstream within downstream | |
if: ${{ fromJSON(steps.repo-local-downstream.outputs.files_length) > 0 }} | |
id: create-pull-request | |
env: | |
NEW_HASH: ${{ env.PIN_TO_COMMIT }} | |
COMMIT_MESSAGE: "setup: Pin ${{ env.UPSTREAM_PACKAGE_NAME }} to ${{ env.PIN_TO_COMMIT }}\n${{ github.event.pull_request.html_url }}\n${{ github.server_url }}/${{ github.repository }}/commit/${{ env.PIN_TO_COMMIT }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" | |
NEW_BRANCH_WITH_PIN: "pin/pep_440/${{ github.repository }}/${{ env.PIN_TO_COMMIT }}" | |
FILES: ${{ toJSON(steps.repo-local-downstream.outputs.files) }} | |
BASE: ${{ matrix.branch }} | |
run: | | |
set -x | |
get_files() { | |
git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq | |
} | |
# https://github.com/dffml/dffml-model-transformers/blob/898af4a51d9b5d70d58ce80ba2c508f3afa82400/setup.cfg#L6 | |
sed -i -r -e "s#${BUMP_DEP}[A-Fa-f0-9]{40}#${BUMP_DEP}${NEW_HASH}#g" $(get_files) | |
git checkout -b "${NEW_BRANCH_WITH_PIN}" | |
git config user.email "${PIN_PULL_REQUEST_EMAIL}" | |
git config user.name "${PIN_PULL_REQUEST_NAME}" | |
git commit -sam "${COMMIT_MESSAGE}" | |
git log -n 1 -p | |
mkdir -p ~/.config/gh/ | |
echo "github.com:" > ~/.config/gh/hosts.yml | |
echo " oauth_token: ${GH_ACCESS_TOKEN}" >> ~/.config/gh/hosts.yml | |
echo " user: token" >> ~/.config/gh/hosts.yml | |
echo " git_protocol: https" >> ~/.config/gh/hosts.yml | |
gh auth setup-git | |
git push -u origin -f "${NEW_BRANCH_WITH_PIN}" | |
gh pr create --base "${BASE}" --head "${NEW_BRANCH_WITH_PIN}" --title "${COMMIT_MESSAGE}" --body "" | tee pull-request-url | |
PULL_REQUEST_URL="$(cat pull-request-url)" | |
if [[ "x${PULL_REQUEST_URL}" == "x" ]]; then | |
echo "No pull request URL" 1>&2 | |
exit 1 | |
fi | |
echo "url=${PULL_REQUEST_URL}" | tee -a $GITHUB_OUTPUT |