diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index d735519..d609107 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,4 +1,4 @@ -name: "CodeQL" +name: CodeQL analysis on: push: branches: @@ -9,21 +9,22 @@ on: schedule: - cron: '00 18 * * 1' workflow_dispatch: + +permissions: read-all + jobs: analyze: name: Analyze runs-on: macos-latest permissions: - actions: read - contents: read security-events: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Install dependencies run: brew install popt - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 with: languages: cpp queries: security-and-quality @@ -33,4 +34,4 @@ jobs: cmake -S . -B build cmake --build build - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index d3ba613..5951e86 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,8 +1,11 @@ -name: dependency-review +name: Dependency review on: pull_request: branches: - main + +permissions: read-all + jobs: dependency-review: runs-on: ubuntu-latest @@ -10,9 +13,9 @@ jobs: pull-requests: write steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Dependency review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@9129d7d40b8c12c1ed0f60400d00c92d437adcce # v4.1.3 with: comment-summary-in-pr: true fail-on-severity: low diff --git a/.github/workflows/markdown-links.yml b/.github/workflows/markdown-links.yml index 6fdb4d3..3daee2e 100644 --- a/.github/workflows/markdown-links.yml +++ b/.github/workflows/markdown-links.yml @@ -1,4 +1,4 @@ -name: "Markdown links" +name: Markdown links check on: push: branches: @@ -12,14 +12,17 @@ on: schedule: - cron: '0 18 * * 1' workflow_dispatch: + +permissions: read-all + jobs: markdown-links: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 - name: Check links in modified Markdown files if: github.event_name == 'pull_request' - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 with: base-branch: main check-modified-files-only: yes @@ -27,7 +30,7 @@ jobs: config-file: .github/markdown/markdown-links.json - name: Check links in all Markdown files if: github.event_name != 'pull_request' - uses: gaurav-nelson/github-action-markdown-link-check@v1 + uses: gaurav-nelson/github-action-markdown-link-check@d53a906aa6b22b8979d33bc86170567e619495ec # 1.0.15 with: use-verbose-mode: yes config-file: .github/markdown/markdown-links.json diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml new file mode 100644 index 0000000..59b815d --- /dev/null +++ b/.github/workflows/openssf-scorecard.yml @@ -0,0 +1,38 @@ +name: OpenSSF Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '0 3 * * 1' + push: + branches: [ "main" ] + +permissions: read-all + +jobs: + analysis: + name: OpenSSF Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write # Needed to upload the results to code scanning dashboard + id-token: write # Needed to publish results to OpenSSF API and get a badge (see publish_results below) + steps: + - name: Checkout repository + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false + - name: Run analysis + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + - name: Upload Actions artifact + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + - name: Upload to code scanning dashboard + uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7 + with: + sarif_file: results.sarif diff --git a/README.md b/README.md index 8dfacff..c850600 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # flog -[![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/) +[![OpenSSF Scorecard](https://img.shields.io/ossf-scorecard/github.com/marcransome/flog?label=OpenSSF%20Scorecard)](https://securityscorecards.dev/viewer/?uri=github.com/marcransome/flog) [![CodeQL](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml/badge.svg?branch=main)](https://github.com/marcransome/flog/actions/workflows/codeql-analysis.yml) [![Issues](https://img.shields.io/github/issues/marcransome/flog)](https://github.com/marcransome/flog/issues) [![License](https://img.shields.io/badge/license-MIT-blue)](https://opensource.org/licenses/mit-license.php) [![macOS](https://img.shields.io/badge/macOS-11+-blue)](https://www.apple.com/macos/) `flog` is a command-line tool for sending log messages to Apple's unified logging system and is primaily intended for use in scripts.