Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: address OSSF Scorecard warnings #243

Merged
merged 5 commits into from
May 7, 2024
Merged

ci: address OSSF Scorecard warnings #243

merged 5 commits into from
May 7, 2024

Conversation

alessfg
Copy link
Collaborator

@alessfg alessfg commented May 6, 2024

Proposed changes

This PR aims to:

  • Remediate the Token-Permissions warning/low score by moving the F5 CLA GH Action permissions around.
  • Remediate the Pinned-Dependencies warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot.
  • Hopefully remediate the Vulnerabilities warning/low score by recreating package-lock.json.
  • Add both workflow_dispatch and cron builds to the OSSF Scorecard and S3 Gateway GitHub Actions in order to more proactively test changes (and to ensure that the pipelines run at minimum once a week).

Checklist

Before creating a PR, run through this checklist and mark each as complete:

Copy link

github-actions bot commented May 6, 2024

CLA Assistant Lite bot ✅ All required contributors have signed the F5 CLA for this PR. Thank you!

@alessfg alessfg force-pushed the scorecard-tweaks branch 3 times, most recently from d2f55a6 to ba9e0b3 Compare May 6, 2024 17:37
@alessfg
Copy link
Collaborator Author

alessfg commented May 6, 2024

recheck

@alessfg alessfg force-pushed the scorecard-tweaks branch from ba9e0b3 to 0f0c2e1 Compare May 6, 2024 17:43
* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around
* remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot
* hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json`
@alessfg alessfg force-pushed the scorecard-tweaks branch from 0f0c2e1 to 83aea5e Compare May 6, 2024 17:47
@alessfg
Copy link
Collaborator Author

alessfg commented May 6, 2024

I have hereby read the F5 CLA and agree to its terms

@alessfg
Copy link
Collaborator Author

alessfg commented May 6, 2024

recheck

@alessfg alessfg requested a review from 4141done May 6, 2024 17:50
@alessfg alessfg self-assigned this May 6, 2024
@alessfg alessfg added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 6, 2024
Copy link
Collaborator

@4141done 4141done left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few things here will break our builds but the other stuff looks good!

Dockerfile.latest-njs Outdated Show resolved Hide resolved
Dockerfile.unprivileged Outdated Show resolved Hide resolved
@@ -1,4 +1,4 @@
FROM nginxinc/nginx-s3-gateway
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment. Also why is this one so long?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The three examples here already pull the image from Docker Hub so including the latest available SHA should be ok?

@@ -1,3 +1,3 @@
FROM nginxinc/nginx-s3-gateway
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So this just presents a bit of a maintenance issue since we'll have to periodically update these to make sure they don't reference a super old version. Let's leave the SHAs in for now since these have not been tested in a while anyway. I'll add a note in some of the organizational changes we make later to remind folks to update.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependabot should hopefully take care of Docker SHA updates! 😁

@@ -1,4 +1,4 @@
FROM nginxinc/nginx-s3-gateway
FROM nginxinc/nginx-s3-gateway@sha256:8aa48324479b3653b5936183cc97f2ca1aa9078d229042f1bca357834bd906f4
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment. This is meant to be built on top of a local tag for the base build. Also pinning this example to some version would probably make the example not a great user experience since you could be wondering why you're stuck on an old version if you haven't clocked the SHA

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See previous comment

@alessfg alessfg force-pushed the scorecard-tweaks branch from e3e3901 to 78780cb Compare May 6, 2024 22:31
@alessfg alessfg requested a review from 4141done May 6, 2024 22:32
@alessfg alessfg force-pushed the scorecard-tweaks branch from b5a1d83 to 0bb378d Compare May 7, 2024 01:34
@alessfg alessfg force-pushed the scorecard-tweaks branch from 0bb378d to ecd47d0 Compare May 7, 2024 01:34
alessfg added 2 commits May 7, 2024 09:16
both the Scorecard and the S3 gateway build actions could use from both:
* being able to run the workflow on demand
* running the workflow once a week in case there's been no new builds/PRs in the last week
@alessfg alessfg changed the title ci: address OSS scorecard warnings ci: address OSSF scorecard warnings May 7, 2024
@alessfg alessfg changed the title ci: address OSSF scorecard warnings ci: address OSSF Scorecard warnings May 7, 2024
Copy link
Collaborator

@4141done 4141done left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 🐳 👍

@4141done 4141done merged commit 11c40ff into main May 7, 2024
9 checks passed
@4141done 4141done deleted the scorecard-tweaks branch May 7, 2024 18:53
alessfg added a commit that referenced this pull request May 7, 2024
* remediate the `Token-Permissions` warning/low score by moving the F5 CLA GH Action permissions around

* remediate the `Pinned-Dependencies` warning/low score by using specific Docker image SHAs and adding Docker image updates to Dependabot

* hopefully remediate the `Vulnerabilities` warning/low score by recreating `package-lock.json`

* ci: add `workflow_dispatch` and cron jobs to both the Scorecard and the S3 gateway build actions be able to run the workflow on demand and run the workflow at least once a week in case there's been no new builds/PRs in the last week
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants