Bump github/codeql-action from 4.36.1 to 4.36.2 #72
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Supply Chain Security | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "11 04 * * 1" | |
| workflow_dispatch: | |
| permissions: | |
| actions: read | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| semgrep: | |
| name: Semgrep Secrets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Python | |
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | |
| with: | |
| python-version: "3.x" | |
| - name: Install Semgrep | |
| run: python -m pip install --upgrade semgrep | |
| - name: Run Semgrep | |
| run: | | |
| semgrep scan \ | |
| --metrics=off \ | |
| --config p/secrets \ | |
| --sarif \ | |
| --output semgrep.sarif \ | |
| . | |
| - name: Upload Semgrep SARIF | |
| if: always() && hashFiles('semgrep.sarif') != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| sarif_file: semgrep.sarif | |
| category: semgrep | |
| osv-scanner: | |
| name: OSV-Scanner | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 | |
| with: | |
| go-version: "1.26.x" | |
| cache: false | |
| - name: Install OSV-Scanner | |
| run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest | |
| - name: Run OSV-Scanner | |
| id: osv | |
| run: | | |
| set +e | |
| "$(go env GOPATH)/bin/osv-scanner" scan --recursive --format sarif --output-file osv.sarif . | |
| status=$? | |
| echo "status=$status" >> "$GITHUB_OUTPUT" | |
| exit 0 | |
| - name: Upload OSV SARIF | |
| if: always() && hashFiles('osv.sarif') != '' | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| sarif_file: osv.sarif | |
| category: osv-scanner | |
| - name: Fail on OSV vulnerabilities | |
| if: steps.osv.outputs.status != '0' | |
| env: | |
| OSV_STATUS: ${{ steps.osv.outputs.status }} | |
| run: | | |
| echo "OSV-Scanner exited with status ${OSV_STATUS}" >&2 | |
| exit 1 | |
| scorecard: | |
| name: OpenSSF Scorecard | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Harden runner | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Run Scorecard | |
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 | |
| with: | |
| results_file: scorecard.json | |
| results_format: json | |
| publish_results: true | |
| - name: Upload Scorecard artifact | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: scorecard-results | |
| path: scorecard.json | |
| retention-days: 5 |