diff --git a/checks/permissions_test.go b/checks/permissions_test.go index 0b06e0628f8..5ba90f2545e 100644 --- a/checks/permissions_test.go +++ b/checks/permissions_test.go @@ -280,7 +280,7 @@ func TestGithubTokenPermissions(t *testing.T) { }, }, { - name: "release workflow contents write semantic-release", + name: "release workflow contents write semantic-release with npx", filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release.yaml"}, expected: scut.TestReturn{ Error: nil, @@ -290,6 +290,28 @@ func TestGithubTokenPermissions(t *testing.T) { NumberOfDebug: 4, }, }, + { + name: "release workflow contents write semantic-release with yarn command", + filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-yarn.yaml"}, + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultScore, + NumberOfWarn: 0, + NumberOfInfo: 2, + NumberOfDebug: 4, + }, + }, + { + name: "release workflow contents write semantic-release with pnpm and dlx", + filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-pnpm.yaml"}, + expected: scut.TestReturn{ + Error: nil, + Score: checker.MaxResultScore, + NumberOfWarn: 0, + NumberOfInfo: 2, + NumberOfDebug: 4, + }, + }, { name: "package workflow write", filenames: []string{"./testdata/.github/workflows/github-workflow-permissions-packages-writes.yaml"}, diff --git a/checks/raw/permissions.go b/checks/raw/permissions.go index c80e45fdeab..540fe4be223 100644 --- a/checks/raw/permissions.go +++ b/checks/raw/permissions.go @@ -473,7 +473,7 @@ func isReleasingWorkflow(workflow *actionlint.Workflow, fp string, pdata *permis // Commonly JavaScript packages, but supports multiple ecosystems Steps: []*fileparser.JobMatcherStep{ { - Run: "npx.*semantic-release", + Run: "(npx|pnpm|yarn).*semantic-release", }, }, LogText: "candidate publishing workflow using semantic-release", diff --git a/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-pnpm.yaml b/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-pnpm.yaml new file mode 100644 index 00000000000..b2fb0a572c6 --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-pnpm.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: semantic-release release workflow +on: [push] +permissions: + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + - name: semantic-release + run: yarn -s semantic-release + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-yarn.yaml b/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-yarn.yaml new file mode 100644 index 00000000000..b3f5bdfdd12 --- /dev/null +++ b/checks/testdata/.github/workflows/github-workflow-permissions-contents-writes-release-semantic-release-yarn.yaml @@ -0,0 +1,29 @@ +# Copyright 2022 Security Scorecard Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: semantic-release release workflow +on: [push] +permissions: + +jobs: + publish: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@v3 + - name: semantic-release + run: pnpm dlx semantic-release + with: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{ secrets.NPM_TOKEN }}