Skip to content

Commit 1f7c842

Browse files
committed
chore: openssf scorecard hardening; bump 0.2.6
1 parent 236452a commit 1f7c842

9 files changed

Lines changed: 154 additions & 17 deletions

File tree

.github/workflows/ci.yml

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,17 +6,20 @@ on:
66
pull_request:
77
branches: [master]
88

9+
permissions:
10+
contents: read
11+
912
env:
1013
CARGO_TERM_COLOR: always
1114

1215
jobs:
1316
check:
1417
runs-on: ubuntu-latest
1518
steps:
16-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
1720
with:
1821
submodules: recursive
19-
- uses: dtolnay/rust-toolchain@stable
22+
- uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
2023
with:
2124
components: clippy
2225
- name: Install system dependencies
@@ -27,21 +30,21 @@ jobs:
2730
test:
2831
runs-on: ubuntu-latest
2932
steps:
30-
- uses: actions/checkout@v4
33+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
3134
with:
3235
submodules: recursive
33-
- uses: dtolnay/rust-toolchain@stable
36+
- uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
3437
- name: Install system dependencies
3538
run: sudo apt-get update && sudo apt-get install -y libclang-dev
3639
- run: cargo test --workspace --all-features
3740

3841
fmt:
3942
runs-on: ubuntu-latest
4043
steps:
41-
- uses: actions/checkout@v4
44+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
4245
with:
4346
submodules: recursive
44-
- uses: dtolnay/rust-toolchain@stable
47+
- uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
4548
with:
4649
components: rustfmt
4750
- run: cargo fmt --check

.github/workflows/publish.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,15 +5,18 @@ on:
55
tags:
66
- "v*"
77

8+
permissions:
9+
contents: read
10+
811
jobs:
912
publish:
1013
runs-on: ubuntu-latest
1114
steps:
12-
- uses: actions/checkout@v4
15+
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
1316
with:
1417
submodules: recursive
1518

16-
- uses: dtolnay/rust-toolchain@stable
19+
- uses: dtolnay/rust-toolchain@4be7066ada62dd38de10e7b70166bc74ed198c30 # stable
1720

1821
- name: Install system dependencies
1922
run: sudo apt-get update && sudo apt-get install -y libclang-dev
@@ -22,6 +25,6 @@ jobs:
2225
run: cargo test --workspace --all-features
2326

2427
- name: Publish to crates.io
25-
uses: katyo/publish-crates@v2
28+
uses: katyo/publish-crates@02cc2f1ad653fb25c7d1ff9eb590a8a50d06186b # v2
2629
with:
2730
registry-token: ${{ secrets.CARGO_REGISTRY_TOKEN }}

.github/workflows/scorecard.yml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
name: Scorecard
2+
3+
# Runs OpenSSF Scorecard against the default branch and publishes the result so
4+
# the README badge (api.scorecard.dev) has something to read. Publishing is what
5+
# populates the badge; without publish_results the badge stays "unknown".
6+
on:
7+
branch_protection_rule:
8+
schedule:
9+
- cron: "20 7 * * 2"
10+
push:
11+
branches: [master]
12+
13+
permissions: read-all
14+
15+
jobs:
16+
analysis:
17+
name: Scorecard analysis
18+
runs-on: ubuntu-latest
19+
permissions:
20+
security-events: write # upload the SARIF to the Security tab
21+
id-token: write # sign the published results (publish_results)
22+
contents: read
23+
steps:
24+
- name: Checkout code
25+
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
26+
with:
27+
persist-credentials: false
28+
29+
- name: Run analysis
30+
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
31+
with:
32+
results_file: results.sarif
33+
results_format: sarif
34+
# Required for the public badge + api.scorecard.dev entry.
35+
publish_results: true
36+
37+
- name: Upload artifact
38+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
39+
with:
40+
name: SARIF file
41+
path: results.sarif
42+
retention-days: 5
43+
44+
- name: Upload to code-scanning
45+
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4
46+
with:
47+
sarif_file: results.sarif

CHANGELOG.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,14 @@
1+
## [0.2.6] - 2026-07-01
2+
3+
### Added
4+
- OpenSSF Scorecard workflow and README badge
5+
- `SECURITY.md` with private vulnerability reporting
6+
- `renovate.json` for dependency updates
7+
8+
### Changed
9+
- Workflow actions pinned to SHAs; least-privilege permissions
10+
- Bumped `rustls-webpki`, `anyhow`, `memmap2` to clear advisories
11+
112
## [0.2.5] - 2026-05-25
213

314
### Fixed

Cargo.lock

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# litehtml-rs
22

33
[![crates.io](https://img.shields.io/crates/v/litehtml.svg)](https://crates.io/crates/litehtml)
4+
[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/franzos/litehtml-rs/badge)](https://scorecard.dev/viewer/?uri=github.com/franzos/litehtml-rs)
45

56
Rust bindings for [litehtml](https://github.com/litehtml/litehtml) -- a lightweight HTML/CSS rendering engine. It handles email HTML and simple, content-focused websites well (think [bettermotherfuckingwebsite.com](http://bettermotherfuckingwebsite.com/)), but modern JS-heavy sites with megabytes of CSS will be slow or render incorrectly.
67

SECURITY.md

Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
# Security Policy
2+
3+
litehtml-rs wraps a C++ HTML/CSS rendering engine and is often pointed at
4+
untrusted input (email HTML, arbitrary web pages), so I take reports about it
5+
seriously. Thanks for taking the time to look.
6+
7+
## Supported versions
8+
9+
This is pre-1.0 software and moves fast. Only the latest tagged release and the
10+
`master` branch get security fixes. There are no backports to older `0.x` tags,
11+
so if you're running an older build, the fix is to upgrade.
12+
13+
| Version | Supported |
14+
| -------------- | --------- |
15+
| latest release | yes |
16+
| `master` | yes |
17+
| older `0.x` | no |
18+
19+
## Reporting a vulnerability
20+
21+
Please report privately, not through a public issue or pull request.
22+
23+
- Email: mail@gofranz.com
24+
- If you use GitHub, you can also open a private advisory via the repository's
25+
Security tab ("Report a vulnerability").
26+
27+
Useful things to include, as far as you have them:
28+
29+
- what the issue is and the impact you think it has
30+
- the affected version or commit
31+
- steps to reproduce, or a proof of concept (a minimal HTML/CSS input that
32+
triggers the issue is ideal)
33+
- any logs or backtraces that help me confirm it
34+
35+
## What to expect
36+
37+
I'll acknowledge your report, confirm whether I can reproduce it, and keep you
38+
updated as I work on a fix. Once it's resolved I'm happy to credit you in the
39+
release notes, or keep you anonymous if you'd rather. Please give me a chance to
40+
ship a fix before disclosing publicly.
41+
42+
## Scope
43+
44+
The Rust code in this repository (the `litehtml` and `litehtml-sys` crates) is
45+
in scope, including the FFI boundary and the C wrapper. Bugs in upstream
46+
litehtml itself are better reported to
47+
[litehtml/litehtml](https://github.com/litehtml/litehtml), though I do want to
48+
hear about it if such a bug is reachable through how these bindings use it (for
49+
example a crash or memory-safety issue exposed across the safe Rust API).

litehtml/Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[package]
22
name = "litehtml"
3-
version = "0.2.5"
3+
version = "0.2.6"
44
edition = "2021"
55
license = "MIT"
66
authors = ["Franz Geffke <mail@gofranz.com>"]

renovate.json

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
{
2+
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
3+
"extends": [
4+
"config:best-practices",
5+
"schedule:weekly"
6+
],
7+
"labels": ["dependencies"],
8+
"dependencyDashboard": true,
9+
"dependencyDashboardApproval": true,
10+
"packageRules": [
11+
{
12+
"description": "One grouped PR for non-major Rust crate bumps",
13+
"matchManagers": ["cargo"],
14+
"matchUpdateTypes": ["minor", "patch"],
15+
"groupName": "cargo non-major"
16+
},
17+
{
18+
"description": "One grouped PR for GitHub Actions (keeps SHA pins + version comments fresh)",
19+
"matchManagers": ["github-actions"],
20+
"groupName": "github-actions"
21+
}
22+
]
23+
}

0 commit comments

Comments
 (0)