Merge branch 'main' into config-tests

.github/workflows/codeql-analysis.yml

@@ -1,4 +1,4 @@
-name: "CodeQL"
+name: CodeQL analysis
 on:
   push:
     branches:
@@ -9,21 +9,22 @@ on:
   schedule:
     - cron: '00 18 * * 1'
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze
     runs-on: macos-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
     - name: Install dependencies
       run: brew install popt
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
       with:
         languages: cpp
         queries: security-and-quality
@@ -33,4 +34,4 @@ jobs:
         cmake -S . -B build
         cmake --build build
     - name: Perform CodeQL analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7

.github/workflows/dependency-review.yml

@@ -1,18 +1,21 @@
-name: dependency-review
+name: Dependency review
 on:
   pull_request:
     branches:
       - main
+
+permissions: read-all
+
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
       - name: Dependency review
-        uses: actions/dependency-review-action@v4
+        uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3
         with:
           comment-summary-in-pr: true
           fail-on-severity: low

.github/workflows/markdown-links.yml

@@ -1,4 +1,4 @@
-name: "Markdown links"
+name: Markdown links check
 on:
   push:
     branches:
@@ -12,22 +12,25 @@ on:
   schedule:
     - cron: '0 18 * * 1'
   workflow_dispatch:
+
+permissions: read-all
+
 jobs:
   markdown-links:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
     - name: Check links in modified Markdown files
       if: github.event_name == 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@v1
+      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
       with:
         base-branch: main
         check-modified-files-only: yes
         use-verbose-mode: yes
         config-file: .github/markdown/markdown-links.json
     - name: Check links in all Markdown files
       if: github.event_name != 'pull_request'
-      uses: gaurav-nelson/github-action-markdown-link-check@v1
+      uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15
       with:
         use-verbose-mode: yes
         config-file: .github/markdown/markdown-links.json

.github/workflows/openssf-scorecard.yml

@@ -0,0 +1,38 @@
+name: OpenSSF Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '0 3 * * 1'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: OpenSSF Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Needed to upload the results to code scanning dashboard
+      id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below)
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+      - name: Run analysis
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - name: Upload Actions artifact
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - name: Upload to code scanning dashboard
+        uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
+        with:
+          sarif_file: results.sarif

README.md

@@ -2,7 +2,7 @@
 
 # flog
 
-[![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/)
+[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/marcransome/flog?label=OpenSSF%20Scorecard)](https://securityscorecards.dev/viewer/?uri=github.com/marcransome/flog) [![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/)
 
 `flog` is a command-line tool for sending log messages to Apple's unified logging system and is primaily intended for use in scripts.