-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: address OSSF Scorecard warnings #243
Conversation
CLA Assistant Lite bot ✅ All required contributors have signed the F5 CLA for this PR. Thank you! |
d2f55a6
to
ba9e0b3
Compare
recheck |
* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around * remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot * hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json`
I have hereby read the F5 CLA and agree to its terms |
recheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few things here will break our builds but the other stuff looks good!
@@ -1,4 +1,4 @@ | |||
FROM nginxinc/nginx-s3-gateway | |||
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same comment. Also why is this one so long?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The three examples here already pull the image from Docker Hub so including the latest available SHA should be ok?
@@ -1,3 +1,3 @@ | |||
FROM nginxinc/nginx-s3-gateway | |||
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So this just presents a bit of a maintenance issue since we'll have to periodically update these to make sure they don't reference a super old version. Let's leave the SHAs in for now since these have not been tested in a while anyway. I'll add a note in some of the organizational changes we make later to remind folks to update.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Dependabot should hopefully take care of Docker SHA updates! 😁
@@ -1,4 +1,4 @@ | |||
FROM nginxinc/nginx-s3-gateway | |||
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See previous comment
both the Scorecard and the S3 gateway build actions could use from both: * being able to run the workflow on demand * running the workflow once a week in case there's been no new builds/PRs in the last week
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 🐳 👍
* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around * remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot * hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json` * ci: add `workflow_dispatch` and cron jobs to both the Scorecard and the S3 gateway build actions be able to run the workflow on demand and run the workflow at least once a week in case there's been no new builds/PRs in the last week
Proposed changes
This PR aims to:
Token-Permissions
warning/low score by moving the F5 CLA GH Action permissions around.Pinned-Dependencies
warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot.Vulnerabilities
warning/low score by recreatingpackage-lock.json
.workflow_dispatch
andcron
builds to the OSSF Scorecard and S3 Gateway GitHub Actions in order to more proactively test changes (and to ensure that the pipelines run at minimum once a week).Checklist
Before creating a PR, run through this checklist and mark each as complete:
README.md
).