ci: reuse Scorecard workflow (#639)

statnett · Oct 10, 2023 · 02a3ad1 · 02a3ad1
1 parent eb240ec
commit 02a3ad1
Show file tree

Hide file tree

Showing 11 changed files with 39 additions and 83 deletions.
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
@@ -6,6 +6,7 @@ on:
       - main
     tags:
       - v*
+
 permissions:
   contents: read
 env:

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -8,6 +8,7 @@ on:
 concurrency:
   group: ci-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
+
 permissions:
   contents: read
 jobs:

diff --git a/.github/workflows/clean-ghcr.yaml b/.github/workflows/clean-ghcr.yaml
@@ -5,6 +5,8 @@ on:
     - cron: "0 1 * * *"  # every day at midnight
   workflow_dispatch:
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/workflows/.github/workflows/clean-ghcr.yaml@main

diff --git a/.github/workflows/clear-cache.yaml b/.github/workflows/clear-cache.yaml
@@ -2,10 +2,13 @@
 name: Clear cache
 on:
   workflow_dispatch:
+
 permissions:
-  actions: write
+  contents: read
 jobs:
   clear-cache:
+    permissions:
+      actions: write
     runs-on: ubuntu-latest
     steps:
       - name: Clear cache

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "0 0 * * 1"
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/github-workflows/.github/workflows/codeql.yaml@main

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -1,17 +1,10 @@
-# Dependency Review Action
-#
-# This Action will scan dependency manifest files that change as part of a Pull Request,
-# surfacing known-vulnerable versions of the packages declared or updated in the PR.
-# Once installed, if the workflow run is marked as required,
-# PRs introducing known-vulnerable packages will be blocked from merging.
-#
-# Source repository: https://github.com/actions/dependency-review-action
-name: 'Dependency Review'
-on: [pull_request]
+---
+name: Dependency Review
+on:
+  pull_request:
 
 permissions:
   contents: read
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -4,6 +4,7 @@ on:
   release:
     types:
       - published
+
 permissions:
   contents: read
 env:

diff --git a/.github/workflows/lint-pr.yml b/.github/workflows/lint-pr.yml
@@ -7,6 +7,8 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/github-workflows/.github/workflows/lint-pr.yaml@main

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -6,6 +6,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/github-workflows/.github/workflows/release-please.yaml@main

diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
@@ -0,0 +1,20 @@
+---
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "20 7 * * 2"
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+jobs:
+  trigger:
+    uses: statnett/github-workflows/.github/workflows/scorecard.yaml@main
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,7 @@ on: @@
           - main
         tags:
           - v*
     permissions:
       contents: read
     env:
@@ Expand Down @@