feat: add scorecards analysis workflow (#105)

.github/workflows/check-and-release-main.yaml

@@ -5,6 +5,9 @@ on:
   push:
     branches:
     - main
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Check Python ${{ matrix.python }} on ${{ matrix.os }}
@@ -15,9 +18,14 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
         python: ['3.9', '3.10']
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
     - name: Set up Python
-      uses: actions/setup-python@v3.1.2
+      uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
       with:
         python-version: ${{ matrix.python }}
     - name: Install dependencies
@@ -33,15 +41,22 @@ jobs:
     - name: Build the docs
       run: make docs
   release:
+    permissions:
+      contents: write  # for relekang/python-semantic-release to push release notes and new commits/tags
     needs: check
     name: Release
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
       with:
         fetch-depth: 0
     - name: Python Semantic Release
-      uses: relekang/python-semantic-release@v7.28.1
+      uses: relekang/python-semantic-release@595352a8fb97f219cb8362e2a13e4f59d8064aa0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         pypi_token: ''  # We don't publish to PyPi: ${{ secrets.PYPI_TOKEN }}

.github/workflows/codeql-analysis.yaml

@@ -33,11 +33,16 @@ jobs:
         python: ['3.9', '3.10']
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
 
     - name: Set up Python ${{ matrix.python }}
-      uses: actions/setup-python@v3.1.2
+      uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
       with:
         python-version: ${{ matrix.python }}
     - name: Install dependencies
@@ -47,7 +52,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@c0982d28099e3cb8fd8b37cfd6c2cdfea4531853
       with:
         languages: ${{ matrix.language }}
         config-file: .github/codeql/codeql-config.yaml
@@ -60,4 +65,4 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@c0982d28099e3cb8fd8b37cfd6c2cdfea4531853

.github/workflows/pull-request.yaml

@@ -6,19 +6,28 @@
 name: Pull Request
 on:
   pull_request:
-    branches:
-    - '*'
+    branches: [main, staging]
     types:
     - opened
     - edited
     - synchronize
+permissions:
+  contents: read
+
 jobs:
   pr:
+    permissions:
+      pull-requests: read  # for CondeNast/conventional-pull-request-action to get specific PR & list commits
     name: Lint PR title
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
-    - uses: CondeNast/[email protected]
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
+    - uses: CondeNast/conventional-pull-request-action@eef02ae6e88e4b462f39931113b1a75cc275beee
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -34,9 +43,14 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
         python: ['3.9', '3.10']
     steps:
-    - uses: actions/checkout@v3
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
     - name: Set up Python
-      uses: actions/setup-python@v3.1.2
+      uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
       with:
         python-version: ${{ matrix.python }}
     - name: Install dependencies

.github/workflows/release-notifications.yaml

@@ -14,7 +14,12 @@ jobs:
     if: ${{ false }}
     runs-on: ubuntu-latest
     steps:
-    - uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da # v1.18.0
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - uses: slackapi/slack-github-action@16b6c78ee73689a627b65332b34e5d409c7299da
       with:
         payload: |
           {

.github/workflows/scorecards-analysis.yaml

@@ -0,0 +1,59 @@
+name: Scorecards supply-chain security
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  schedule:
+  - cron: 27 20 * * 1
+  push:
+    branches: [main]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@248ae51c2e8cc9622ecf50685c8bf7150c6e8813
+      with:
+        egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
+
+    - name: Checkout code
+      uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
+      with:
+        persist-credentials: false
+
+    - name: Run analysis
+      uses: ossf/scorecard-action@e7a29c14e6b337cf4310c70d1e9cd1565f0e9025
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        # Read-only PAT token. To create it,
+        # follow the steps in https://github.com/ossf/scorecard-action#pat-token-creation.
+        repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
+        # Publish the results to enable scorecard badges. For more details, see
+        # https://github.com/ossf/scorecard-action#publishing-results.
+        # For private repositories, `publish_results` will automatically be set to `false`,
+        # regardless of the value entered here.
+        publish_results: true
+
+    # Upload the results as artifacts (optional).
+    - name: Upload artifact
+      uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+      with:
+        name: SARIF file
+        path: results.sarif
+
+    # Upload the results to GitHub's code scanning dashboard.
+    - name: Upload to code-scanning
+      uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5
+      with:
+        sarif_file: results.sarif

UPSTREAM_README.md

@@ -54,6 +54,8 @@ Automatic package versioning and tagging, publishing to [PyPI](https://pypi.org/
 
 [CodeQL](https://codeql.github.com/) is enabled to scan the Python code for security vulnerabilities. You can adjust the GitHub Actions workflow at `.github/workflows/codeql-analysis.yaml` and the configuration file at `.github/codeql/codeql-config.yaml` to add more languages, change the default paths, scan schedule, and queries.
 
+[OSSF Security Scorecards](https://github.com/ossf/scorecard) is enabled as a GitHub Actions workflow to give the consumers information about the supply-chain security posture of this project, assigning a score of 0-10. We upload the results as a SARIF (Static Analysis Results Interchange Format) artifact after each run and the results can be found at the Security tab of this GitHub project. We also allow publishing the data at OpenSSF. We use this data to continuously improve the security posture of this project. Note that this configuration supports the ``main`` (default) branch and requires the repository to be public and not forked.
+
 Additionally, the [bandit](https://github.com/PyCQA/bandit) tool is being installed as part of a development environment (i.e. the `[dev]` package extra); however, bandit does not run automatically! Instead, you can invoke it manually:
 
 ```bash