Skip to content
This repository has been archived by the owner on Aug 25, 2024. It is now read-only.

ossf scorecard best practices #374

ossf scorecard best practices

ossf scorecard best practices #374

Workflow file for this run

name: "Pin: Downstream: 2nd party"
# TODO 3rd party will be based off ActivityPub
# - References
# - RFCv5.1: IETF SCITT: Use Case: Attestations of alignment to S2C2F and org Overlays: https://github.com/ietf-scitt/use-cases/blob/a832905e3c428fd54b1c08d4851801383eac91a6/openssf_metrics.md#use-case-attestations-of-alignment-to-s2c2f-and-org-overlays
on:
pull_request_target:
types:
- opened
- synchronize
- reopened
branches:
- main
push:
branches:
- main
permissions:
contents: read
jobs:
manifest:
runs-on: ubuntu-latest
# Disabled currently
if: false
outputs:
length: ${{ steps.create-manifest-instance.outputs.length }}
manifest: ${{ steps.create-manifest-instance.outputs.github_actions_manifest }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: "3.11"
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Build manifest from plugins.json from pull request
id: create-manifest-instance
env:
PLUGINS_JSON: "dffml/plugins.json"
SCHEMA: "TODO-dffml-2ndparty-pin"
JSON_INDENT: " "
shell: python -u {0}
run: |
import os
import json
import pathlib
plugins = json.loads(pathlib.Path(os.environ["PLUGINS_JSON"]).read_text())
manifest = plugins["plugins"]["parties"]["2nd"]
# SECURITY Allowlist of 2nd party orgs to pin
for downstream in manifest:
if not downstream["source_url"].startswith("https://github.com/dffml/"):
raise ValueError(f"source_url not in allowed org: {downstream!r}")
github_actions_manifest = {
"include": manifest,
}
json_ld_manifest = {
"@context": {
"@vocab": os.environ["SCHEMA"],
},
**github_actions_manifest,
}
print(json.dumps(json_ld_manifest, sort_keys=True, indent=os.environ.get("JSON_INDENT", None)))
if "GITHUB_OUTPUT" in os.environ:
with open(os.environ["GITHUB_OUTPUT"], "a") as fileobj:
fileobj.write(f'length={len(manifest)}\n')
fileobj.write(f"manifest={json.dumps(manifest, sort_keys=True)}\n")
fileobj.write(f'github_actions_manifest={json.dumps(github_actions_manifest, sort_keys=True)}\n')
fileobj.write(f'json_ld_manifest={json.dumps(json_ld_manifest, sort_keys=True)}\n')
pin_downstream_pep_440:
permissions:
contents: write # for Git to git push
name: "Pin downstream to latest commit"
runs-on: ubuntu-latest
# Disabled currently
if: false
env:
PIN_PULL_REQUEST_EMAIL: '[email protected]'
PIN_PULL_REQUEST_NAME: 'Alice Alchemy'
GH_ACCESS_TOKEN: ${{ secrets.PIN_DOWNSTREAM_2ND_PARTY_GH_ACCESS_TOKEN }}
PIN_TO_COMMIT: ${{ github.event.after || github.event.pull_request.head.sha }}
UPSTREAM_PACKAGE_NAME: 'dffml'
BUMP_DEP: "dffml @ https://github.com/intel/dffml/archive/"
needs:
- manifest
strategy:
fail-fast: false
max-parallel: 100
matrix: ${{ fromJSON(needs.manifest.outputs.manifest) }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout downstream
env:
# TODO Pull requests on pull requests, probably from renovate/dependabot
# https://github.com/intel/dffml/pull/1061#pullrequestreview-1281885921
TARGET_REPO_URL: ${{ matrix.source_url }}
TARGET_BRANCH: ${{ matrix.branch }}
TARGET_COMMIT: ${{ matrix.branch }}
run: |
set -x
git init
git remote add origin "${TARGET_REPO_URL}"
git fetch origin "${TARGET_BRANCH}" --depth 1
git fetch origin "${TARGET_COMMIT}" --depth 1
git reset --hard "origin/${TARGET_COMMIT}"
- name: Find repo local dependent files
id: repo-local-downstream
run: |
set -x
get_files() {
git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq
}
echo files_length=$(get_files | wc -l) >> $GITHUB_OUTPUT
- name: Update pinning of upstream within downstream
if: ${{ fromJSON(steps.repo-local-downstream.outputs.files_length) > 0 }}
id: create-pull-request
env:
NEW_HASH: ${{ env.PIN_TO_COMMIT }}
COMMIT_MESSAGE: "setup: Pin ${{ env.UPSTREAM_PACKAGE_NAME }} to ${{ env.PIN_TO_COMMIT }}\n${{ github.event.pull_request.html_url }}\n${{ github.server_url }}/${{ github.repository }}/commit/${{ env.PIN_TO_COMMIT }}\n${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
NEW_BRANCH_WITH_PIN: "pin/pep_440/${{ github.repository }}/${{ env.PIN_TO_COMMIT }}"
FILES: ${{ toJSON(steps.repo-local-downstream.outputs.files) }}
BASE: ${{ matrix.branch }}
run: |
set -x
get_files() {
git grep "${BUMP_DEP}" | sed -e 's/:.*//g' | sort | uniq
}
# https://github.com/dffml/dffml-model-transformers/blob/898af4a51d9b5d70d58ce80ba2c508f3afa82400/setup.cfg#L6
sed -i -r -e "s#${BUMP_DEP}[A-Fa-f0-9]{40}#${BUMP_DEP}${NEW_HASH}#g" $(get_files)
git checkout -b "${NEW_BRANCH_WITH_PIN}"
git config user.email "${PIN_PULL_REQUEST_EMAIL}"
git config user.name "${PIN_PULL_REQUEST_NAME}"
git commit -sam "${COMMIT_MESSAGE}"
git log -n 1 -p
mkdir -p ~/.config/gh/
echo "github.com:" > ~/.config/gh/hosts.yml
echo " oauth_token: ${GH_ACCESS_TOKEN}" >> ~/.config/gh/hosts.yml
echo " user: token" >> ~/.config/gh/hosts.yml
echo " git_protocol: https" >> ~/.config/gh/hosts.yml
gh auth setup-git
git push -u origin -f "${NEW_BRANCH_WITH_PIN}"
gh pr create --base "${BASE}" --head "${NEW_BRANCH_WITH_PIN}" --title "${COMMIT_MESSAGE}" --body "" | tee pull-request-url
PULL_REQUEST_URL="$(cat pull-request-url)"
if [[ "x${PULL_REQUEST_URL}" == "x" ]]; then
echo "No pull request URL" 1>&2
exit 1
fi
echo "url=${PULL_REQUEST_URL}" | tee -a $GITHUB_OUTPUT