Skip to content

Bump the github-actions group across 1 directory with 7 updates #104

Bump the github-actions group across 1 directory with 7 updates

Bump the github-actions group across 1 directory with 7 updates #104

name: Supply Chain Security
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: "11 04 * * 1"
workflow_dispatch:
permissions:
actions: read
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
semgrep:
name: Semgrep Secrets
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Python
uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0
with:
python-version: "3.x"
- name: Install Semgrep
run: python -m pip install --upgrade semgrep
- name: Run Semgrep
run: |
semgrep scan \
--metrics=off \
--config p/secrets \
--sarif \
--output semgrep.sarif \
.
- name: Upload Semgrep SARIF
if: always() && hashFiles('semgrep.sarif') != '' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: semgrep.sarif
category: semgrep
osv-scanner:
name: OSV-Scanner
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: "1.26.x"
cache: false
- name: Install OSV-Scanner
run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
- name: Run OSV-Scanner
id: osv
run: |
set +e
"$(go env GOPATH)/bin/osv-scanner" scan --recursive --format sarif --output-file osv.sarif .
status=$?
echo "status=$status" >> "$GITHUB_OUTPUT"
exit 0
- name: Upload OSV SARIF
if: always() && hashFiles('osv.sarif') != ''
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4.36.3
with:
sarif_file: osv.sarif
category: osv-scanner
- name: Fail on OSV vulnerabilities
if: steps.osv.outputs.status != '0'
env:
OSV_STATUS: ${{ steps.osv.outputs.status }}
run: |
echo "OSV-Scanner exited with status ${OSV_STATUS}" >&2
exit 1
scorecard:
name: OpenSSF Scorecard
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- name: Harden runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run Scorecard
uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
with:
results_file: scorecard.json
results_format: json
publish_results: true
- name: Upload Scorecard artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: scorecard-results
path: scorecard.json
retention-days: 5