Skip to content

Commit 7d3b702

Browse files
committed
feat(security): add OpenSSF Scorecard, dependency review, and PR labeler
Three new auto-running workflows extend the public-OSS hardening surface: - scorecard.yml: OpenSSF Scorecard analysis on push to main, weekly schedule, branch protection rule changes, and workflow_dispatch. Uploads SARIF to the Security tab and publishes results to scorecard.dev. Pinned ossf/scorecard-action v2.4.3. - dependency-review.yml: blocks PRs introducing dependencies with high-severity vulnerabilities or licenses outside the AGPL-3.0 compatible allow-list. Pinned actions/dependency-review-action v5.0.0. - labeler.yml plus .github/labeler.yml: applies area labels by changed paths (ci-cd / scripts / plugin / docs / tests / serena-memories / release / security / system). Pinned actions/labeler v6.1.0. All actions pinned by full commit SHA; validate_action_pins.py covers 9 workflow files after this change.
1 parent 76aaf56 commit 7d3b702

4 files changed

Lines changed: 213 additions & 0 deletions

File tree

.github/labeler.yml

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,83 @@
1+
area/ci-cd:
2+
- changed-files:
3+
- any-glob-to-any-file:
4+
- .github/workflows/**
5+
- .github/actions/**
6+
- .github/dependabot.yml
7+
- .github/branch-protection/**
8+
9+
area/scripts:
10+
- changed-files:
11+
- any-glob-to-any-file:
12+
- scripts/**
13+
14+
area/plugin/rldyour-flow:
15+
- changed-files:
16+
- any-glob-to-any-file:
17+
- plugins/rldyour-flow/**
18+
19+
area/plugin/rldyour-serena-mcp:
20+
- changed-files:
21+
- any-glob-to-any-file:
22+
- plugins/rldyour-serena-mcp/**
23+
24+
area/plugin/rldyour-mcps:
25+
- changed-files:
26+
- any-glob-to-any-file:
27+
- plugins/rldyour-mcps/**
28+
29+
area/plugin/other:
30+
- changed-files:
31+
- any-glob-to-any-file:
32+
- plugins/rldyour-browser/**
33+
- plugins/rldyour-design/**
34+
- plugins/rldyour-explore/**
35+
- plugins/rldyour-lsps/**
36+
- plugins/rldyour-rules/**
37+
- plugins/rldyour-security/**
38+
39+
area/system:
40+
- changed-files:
41+
- any-glob-to-any-file:
42+
- system/**
43+
44+
area/docs:
45+
- changed-files:
46+
- any-glob-to-any-file:
47+
- docs/**
48+
- README.md
49+
- CONTRIBUTING.md
50+
- SECURITY.md
51+
- CODE_OF_CONDUCT.md
52+
- CHANGELOG.md
53+
54+
area/tests:
55+
- changed-files:
56+
- any-glob-to-any-file:
57+
- tests/**
58+
59+
area/serena-memories:
60+
- changed-files:
61+
- any-glob-to-any-file:
62+
- .serena/memories/**
63+
64+
area/release:
65+
- changed-files:
66+
- any-glob-to-any-file:
67+
- VERSION
68+
- CHANGELOG.md
69+
- LICENSE
70+
- pyproject.toml
71+
- scripts/release_*.py
72+
- scripts/validate_release.sh
73+
74+
area/security:
75+
- changed-files:
76+
- any-glob-to-any-file:
77+
- SECURITY.md
78+
- system/rules/**
79+
- scripts/scan_text_security.py
80+
- .github/workflows/security-static.yml
81+
- .github/workflows/codeql.yml
82+
- .github/workflows/scorecard.yml
83+
- .github/workflows/dependency-review.yml
Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
name: dependency-review
2+
3+
on:
4+
pull_request:
5+
branches: [main]
6+
7+
permissions:
8+
contents: read
9+
10+
concurrency:
11+
group: dependency-review-${{ github.workflow }}-${{ github.ref }}
12+
cancel-in-progress: true
13+
14+
jobs:
15+
review:
16+
name: Dependency review
17+
runs-on: ubuntu-latest
18+
timeout-minutes: 10
19+
steps:
20+
- name: Checkout
21+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22+
23+
- name: Review dependencies
24+
uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0
25+
with:
26+
fail-on-severity: high
27+
allow-licenses: >-
28+
AGPL-3.0,
29+
AGPL-3.0-only,
30+
AGPL-3.0-or-later,
31+
Apache-2.0,
32+
BSD-2-Clause,
33+
BSD-3-Clause,
34+
CC0-1.0,
35+
GPL-2.0,
36+
GPL-2.0-only,
37+
GPL-2.0-or-later,
38+
GPL-3.0,
39+
GPL-3.0-only,
40+
GPL-3.0-or-later,
41+
ISC,
42+
LGPL-2.1,
43+
LGPL-2.1-only,
44+
LGPL-2.1-or-later,
45+
LGPL-3.0,
46+
LGPL-3.0-only,
47+
LGPL-3.0-or-later,
48+
MIT,
49+
MPL-2.0,
50+
Python-2.0,
51+
Unlicense
52+
comment-summary-in-pr: on-failure

.github/workflows/labeler.yml

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
name: labeler
2+
3+
on:
4+
pull_request_target:
5+
types: [opened, synchronize, reopened, edited]
6+
7+
permissions:
8+
contents: read
9+
10+
concurrency:
11+
group: labeler-${{ github.workflow }}-${{ github.event.pull_request.number }}
12+
cancel-in-progress: true
13+
14+
jobs:
15+
label:
16+
name: Auto-label pull request
17+
runs-on: ubuntu-latest
18+
timeout-minutes: 5
19+
permissions:
20+
contents: read
21+
pull-requests: write
22+
steps:
23+
- name: Apply labels by changed paths
24+
uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
25+
with:
26+
configuration-path: .github/labeler.yml
27+
sync-labels: true

.github/workflows/scorecard.yml

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
name: scorecard
2+
3+
on:
4+
branch_protection_rule:
5+
schedule:
6+
- cron: "0 3 * * 1"
7+
push:
8+
branches: [main]
9+
workflow_dispatch:
10+
11+
permissions: read-all
12+
13+
concurrency:
14+
group: scorecard-${{ github.workflow }}-${{ github.ref }}
15+
cancel-in-progress: false
16+
17+
jobs:
18+
analysis:
19+
name: OSSF Scorecard analysis
20+
runs-on: ubuntu-latest
21+
timeout-minutes: 15
22+
permissions:
23+
security-events: write
24+
id-token: write
25+
contents: read
26+
actions: read
27+
steps:
28+
- name: Checkout
29+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
30+
with:
31+
persist-credentials: false
32+
33+
- name: Run analysis
34+
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
35+
with:
36+
results_file: results.sarif
37+
results_format: sarif
38+
publish_results: true
39+
40+
- name: Upload Scorecard SARIF (workflow artifact)
41+
if: always()
42+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
43+
with:
44+
name: scorecard-results
45+
path: results.sarif
46+
retention-days: 14
47+
48+
- name: Upload Scorecard SARIF (code scanning)
49+
uses: github/codeql-action/upload-sarif@458d36d7d4f47d0dd16ca424c1d3cda0060f1360 # v3
50+
with:
51+
sarif_file: results.sarif

0 commit comments

Comments
 (0)