Scorecard improvements (#949)

* build sget image and push for the ci repo Signed-off-by: Carlos Panato <[email protected]> * add permissions based on the scorecard report { "details": [ "Warn: no permission defined: .github/workflows/build.yaml:1", "Warn: no permission defined: .github/workflows/codeql-analysis.yml:1" ], "score": -1, "reason": "internal error: yaml.Unmarshal: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `-----BE...` into map[interface {}]interface {}", "name": "Token-Permissions", "documentation": { "url": "https://github.com/ossf/scorecard/blob/6c1c789dc5b05cde492334f57b53807c786b038a/docs/checks.md#token-permissions", "short": "Determines if the project's workflows follow the principle of least privilege." } } Signed-off-by: Carlos Panato <[email protected]>
sigstore · Oct 25, 2021 · 7e295f1 · 7e295f1
1 parent be6ab36
commit 7e295f1
Show file tree

Hide file tree

Showing 11 changed files with 33 additions and 1 deletion.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -21,6 +21,8 @@ on:
       - main
       - release-*
 
+permissions: read-all
+
 jobs:
   build:
     name: build
@@ -52,3 +54,5 @@ jobs:
         run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container
       - name: cosigned
         run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-cosigned
+      - name: sget
+        run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-sget
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -19,6 +19,8 @@ on:
   push:
     branches: [ main ]
 
+permissions: read-all
+
 jobs:
   analyze:
     name: Analyze

diff --git a/.github/workflows/cross.yaml b/.github/workflows/cross.yaml
@@ -5,6 +5,8 @@ on:
       - release-*
   pull_request:
 
+permissions: read-all
+
 name: Cross
 jobs:
   sanity-build:

diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml
@@ -4,6 +4,8 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions: read-all
+
 jobs:
 
   donotsubmit:

diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml
@@ -18,6 +18,8 @@ name: e2e-tests
 # Run on every push, and allow it to be run manually.
 on: [push, workflow_dispatch]
 
+permissions: read-all
+
 jobs:
   e2e-tests:
     # Skip if running in a fork that might not have secrets configured.

diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml
@@ -18,10 +18,13 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions: read-all
+
 jobs:
   e2e-tests:
     name: e2e tests
     runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:

diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
@@ -4,11 +4,13 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
-jobs:
+permissions: read-all
 
+jobs:
   autoformat:
     name: Auto-format and Check
     runs-on: ubuntu-latest
+
     strategy:
       fail-fast: false # Keep running if one leg fails.
       matrix:

diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -20,6 +20,8 @@ on:
     branches: ['main', 'release-*']
   pull_request:
 
+permissions: read-all
+
 jobs:
   unit-tests:
     name: Run tests

diff --git a/.github/workflows/verify-docgen.yaml b/.github/workflows/verify-docgen.yaml
@@ -21,6 +21,8 @@ on:
     branches: ['main', 'release-*']
   pull_request:
 
+permissions: read-all
+
 jobs:
   docgen:
     name: Verify Docgen

diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml
@@ -4,6 +4,8 @@ on:
   pull_request:
     branches: [ 'main', 'release-*' ]
 
+permissions: read-all
+
 jobs:
 
   whitespace:

diff --git a/Makefile b/Makefile
@@ -99,6 +99,11 @@ ko:
 		--tags $(GIT_VERSION) --tags $(GIT_HASH) \
 		github.com/sigstore/cosign/cmd/cosign/webhook
 
+	# sget
+	KO_DOCKER_REPO=${KO_PREFIX}/sget CGO_ENABLED=0 GOFLAGS="-ldflags=-X=$(PKG).gitCommit=$(GIT_HASH)" ko publish --bare \
+		--tags $(GIT_VERSION) --tags $(GIT_HASH) \
+		github.com/sigstore/cosign/cmd/sget
+
 .PHONY: ko-local
 ko-local:
 	# We can't pass more than one LDFLAG via GOFLAGS, you can't have spaces in there.
@@ -114,6 +119,10 @@ sign-container: ko
 sign-cosigned:
 	cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosigned:$(GIT_HASH)
 
+.PHONY: sign-sget
+sign-sget:
+	cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/sget:$(GIT_HASH)
+
 # used when releasing together with GCP CloudBuild
 .PHONY: release
 release: