Add Poutine SASL (open-quantum-safe#2213)

aidenfoxivey · web-flow · commit 01de36c1ec5e · 2025-07-29T11:03:31.000-04:00
* Change Nix install action to verified

Signed-off-by: Aiden Fox Ivey &lt;aiden@aidenfoxivey.com&gt;

* Integrate poutine

Signed-off-by: Aiden Fox Ivey &lt;aiden@aidenfoxivey.com&gt;

---------

Signed-off-by: Aiden Fox Ivey &lt;aiden@aidenfoxivey.com&gt;
diff --git a/.github/workflows/basic.yml b/.github/workflows/basic.yml
@@ -161,10 +161,9 @@ jobs:
     name: Check that Nix flake has correct syntax and can build
     runs-on: ubuntu-latest
     steps:
+      - uses: DeterminateSystems/nix-installer-action@90bb610b90bf290cad97484ba341453bd1cbefea # v19
       - name: Checkout code
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
-      - name: Install Nix
-        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72
       - name: Check devShell
         run: nix develop --command echo 
       - name: Check flake syntax
diff --git a/.github/workflows/commit-to-main.yml b/.github/workflows/commit-to-main.yml
@@ -17,7 +17,7 @@ jobs:
     secrets: inherit
 
   scorecard:
-    uses: ./.github/workflows/scorecard.yml
+    uses: ./.github/workflows/supplychain.yml
     secrets: inherit
     permissions:
       id-token: write
@@ -35,4 +35,4 @@ jobs:
   call-sig-benchmarking:
     uses: ./.github/workflows/sig-bench.yml
     permissions:
-      contents: write
+      contents: write
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -25,7 +25,7 @@ jobs:
 
   scorecard:
     needs: basic-checks
-    uses: ./.github/workflows/scorecard.yml
+    uses: ./.github/workflows/supplychain.yml
     secrets: inherit
     permissions:
       id-token: write
diff --git a/.github/workflows/supplychain.yml b/.github/workflows/supplychain.yml
@@ -25,15 +25,15 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
 
-      - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # pin@v2.4.0
+      - name: "Run ossf scorecard"
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
-          results_file: results.sarif
           results_format: sarif
+          results_file: ossf_results.sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
@@ -49,16 +49,42 @@ jobs:
           #     of the value entered here.
           publish_results: true
 
+      - name: "Run poutine supply chain check"
+        uses: boostsecurityio/poutine-action@84c0a0d32e8d57ae12651222be1eb15351429228 # v0.15.2
+        with:
+          format: sarif
+          output: poutine_results.sarif
+          publish_results: true
+
+      - name: Configure as safe directory
+        run: git config --global --add safe.directory /__w/liboqs/liboqs
+
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
-      - name: "Upload artifact"
-        uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # pin@v4
+      - name: "Upload poutine artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
-          name: SARIF file
-          path: results.sarif
+          name: Poutine Results SARIF
+          path: poutine_results.sarif
           retention-days: 28
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload ossf artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: OSSF Results SARIF
+          path: ossf_results.sarif
+          retention-days: 28
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to poutine to code-scanning"
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3
+        with:
+          sarif_file: poutine_results.sarif
+
       # Upload the results to GitHub's code scanning dashboard.
-      - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # pin@v3
+      - name: "Upload to ossf to code-scanning"
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v3
         with:
-          sarif_file: results.sarif
+          sarif_file: ossf_results.sarif
diff --git a/.github/workflows/weekly.yml b/.github/workflows/weekly.yml
@@ -12,7 +12,7 @@ jobs:
   # To guarantee Maintained check is occasionally updated. See
   # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
   scorecard:
-    uses: ./.github/workflows/scorecard.yml
+    uses: ./.github/workflows/supplychain.yml
     secrets: inherit
     permissions:
       id-token: write
