diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5eab31a497..457fc2b73c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -29,13 +29,15 @@ jobs: runs-on: ${{ matrix.os }} continue-on-error: ${{ matrix.experimental }} steps: - # We run the build twice for each supported JDK: once against the - # original Error Prone release, using only Error Prone checks available - # on Maven Central, and once against the Picnic Error Prone fork, - # additionally enabling all checks defined in this project and any - # Error Prone checks available only from other artifact repositories. + # We run the build twice for each supported JDK: once against the + # original Error Prone release, using only Error Prone checks available + # on Maven Central, and once against the Picnic Error Prone fork, + # additionally enabling all checks defined in this project and any Error + # Prone checks available only from other artifact repositories. - name: Check out code uses: actions/checkout@v3.1.0 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@v3.8.0 with: diff --git a/.github/workflows/deploy-website.yaml b/.github/workflows/deploy-website.yaml index 2f2e7ad54a..a17d1a0bdd 100644 --- a/.github/workflows/deploy-website.yaml +++ b/.github/workflows/deploy-website.yaml @@ -3,16 +3,18 @@ on: pull_request: push: branches: [ master, website ] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} jobs: build: - permissions: - contents: read runs-on: ubuntu-22.04 steps: - name: Check out code uses: actions/checkout@v3.1.0 + with: + persist-credentials: false - uses: ruby/setup-ruby@v1.126.0 with: working-directory: ./website diff --git a/.github/workflows/openssf-scorecard.yml b/.github/workflows/openssf-scorecard.yml new file mode 100644 index 0000000000..202e8c170d --- /dev/null +++ b/.github/workflows/openssf-scorecard.yml @@ -0,0 +1,36 @@ +# Analyzes the code base and GitHub project configuration for adherence to +# security best practices for open source software. Identified issues are +# registered with GitHub's code scanning dashboard. When a pull request is +# analyzed, any offending lines are annotated. See +# https://securityscorecards.dev for details. +name: OpenSSF Scorecard update +on: + pull_request: + push: + branches: [ master ] + schedule: + - cron: '0 4 * * 1' +permissions: + contents: read +jobs: + analyze: + permissions: + contents: read + security-events: write + id-token: write + runs-on: ubuntu-22.04 + steps: + - name: Check out code + uses: actions/checkout@v3.1.0 + with: + persist-credentials: false + - name: Run OpenSSF Scorecard analysis + uses: ossf/scorecard-action@v2.1.3 + with: + results_file: results.sarif + results_format: sarif + publish_results: ${{ github.ref == 'refs/heads/master' }} + - name: Update GitHub's code scanning dashboard + uses: github/codeql-action/upload-sarif@v2.2.11 + with: + sarif_file: results.sarif diff --git a/.github/workflows/pitest-analyze-pr.yml b/.github/workflows/pitest-analyze-pr.yml index db23d0b958..918022529a 100644 --- a/.github/workflows/pitest-analyze-pr.yml +++ b/.github/workflows/pitest-analyze-pr.yml @@ -15,6 +15,7 @@ jobs: uses: actions/checkout@v3.1.0 with: fetch-depth: 2 + persist-credentials: false - name: Set up JDK uses: actions/setup-java@v3.8.0 with: diff --git a/.github/workflows/pitest-update-pr.yml b/.github/workflows/pitest-update-pr.yml index 1e3283b27a..913b781c10 100644 --- a/.github/workflows/pitest-update-pr.yml +++ b/.github/workflows/pitest-update-pr.yml @@ -9,16 +9,20 @@ on: - completed permissions: actions: read - checks: write - contents: read - pull-requests: write jobs: update-pr: if: ${{ github.event.workflow_run.conclusion == 'success' }} + permissions: + actions: read + checks: write + contents: read + pull-requests: write runs-on: ubuntu-22.04 steps: - name: Check out code uses: actions/checkout@v3.1.0 + with: + persist-credentials: false - name: Set up JDK uses: actions/setup-java@v3.8.0 with: