From 7e295f138f6a8e8d141edb66aaa1b6eb4dd7563a Mon Sep 17 00:00:00 2001 From: Carlos Tadeu Panato Junior Date: Mon, 25 Oct 2021 21:43:47 +0200 Subject: [PATCH] Scorecard improvements (#949) * build sget image and push for the ci repo Signed-off-by: Carlos Panato * add permissions based on the scorecard report { "details": [ "Warn: no permission defined: .github/workflows/build.yaml:1", "Warn: no permission defined: .github/workflows/codeql-analysis.yml:1" ], "score": -1, "reason": "internal error: yaml.Unmarshal: yaml: unmarshal errors:\n line 1: cannot unmarshal !!str `-----BE...` into map[interface {}]interface {}", "name": "Token-Permissions", "documentation": { "url": "https://github.com/ossf/scorecard/blob/6c1c789dc5b05cde492334f57b53807c786b038a/docs/checks.md#token-permissions", "short": "Determines if the project's workflows follow the principle of least privilege." } } Signed-off-by: Carlos Panato --- .github/workflows/build.yaml | 4 ++++ .github/workflows/codeql-analysis.yml | 2 ++ .github/workflows/cross.yaml | 2 ++ .github/workflows/donotsubmit.yaml | 2 ++ .github/workflows/e2e_tests.yml | 2 ++ .github/workflows/kind-e2e-cosigned.yaml | 3 +++ .github/workflows/style.yaml | 4 +++- .github/workflows/tests.yaml | 2 ++ .github/workflows/verify-docgen.yaml | 2 ++ .github/workflows/whitespace.yaml | 2 ++ Makefile | 9 +++++++++ 11 files changed, 33 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index a0d23f8c1e4..6766ab387e9 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -21,6 +21,8 @@ on: - main - release-* +permissions: read-all + jobs: build: name: build @@ -52,3 +54,5 @@ jobs: run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-container - name: cosigned run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-cosigned + - name: sget + run: echo -n "${{secrets.COSIGN_PASSWORD}}" | KO_PREFIX=gcr.io/projectsigstore/cosign/ci make sign-sget diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fc24bb9b073..fc18dbe44be 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,6 +19,8 @@ on: push: branches: [ main ] +permissions: read-all + jobs: analyze: name: Analyze diff --git a/.github/workflows/cross.yaml b/.github/workflows/cross.yaml index 3d2162b23ca..2af4d4d7f1c 100644 --- a/.github/workflows/cross.yaml +++ b/.github/workflows/cross.yaml @@ -5,6 +5,8 @@ on: - release-* pull_request: +permissions: read-all + name: Cross jobs: sanity-build: diff --git a/.github/workflows/donotsubmit.yaml b/.github/workflows/donotsubmit.yaml index 86aa6bbd044..cf29f8e46a0 100644 --- a/.github/workflows/donotsubmit.yaml +++ b/.github/workflows/donotsubmit.yaml @@ -4,6 +4,8 @@ on: pull_request: branches: [ 'main', 'release-*' ] +permissions: read-all + jobs: donotsubmit: diff --git a/.github/workflows/e2e_tests.yml b/.github/workflows/e2e_tests.yml index 7864a845d56..ba4006a3c92 100644 --- a/.github/workflows/e2e_tests.yml +++ b/.github/workflows/e2e_tests.yml @@ -18,6 +18,8 @@ name: e2e-tests # Run on every push, and allow it to be run manually. on: [push, workflow_dispatch] +permissions: read-all + jobs: e2e-tests: # Skip if running in a fork that might not have secrets configured. diff --git a/.github/workflows/kind-e2e-cosigned.yaml b/.github/workflows/kind-e2e-cosigned.yaml index 448933b1642..c322ad1eb7f 100644 --- a/.github/workflows/kind-e2e-cosigned.yaml +++ b/.github/workflows/kind-e2e-cosigned.yaml @@ -18,10 +18,13 @@ on: pull_request: branches: [ 'main', 'release-*' ] +permissions: read-all + jobs: e2e-tests: name: e2e tests runs-on: ubuntu-latest + strategy: fail-fast: false # Keep running if one leg fails. matrix: diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml index 42dfdb4bace..33869c72849 100644 --- a/.github/workflows/style.yaml +++ b/.github/workflows/style.yaml @@ -4,11 +4,13 @@ on: pull_request: branches: [ 'main', 'release-*' ] -jobs: +permissions: read-all +jobs: autoformat: name: Auto-format and Check runs-on: ubuntu-latest + strategy: fail-fast: false # Keep running if one leg fails. matrix: diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml index 183430fbfbd..053a798e5a7 100644 --- a/.github/workflows/tests.yaml +++ b/.github/workflows/tests.yaml @@ -20,6 +20,8 @@ on: branches: ['main', 'release-*'] pull_request: +permissions: read-all + jobs: unit-tests: name: Run tests diff --git a/.github/workflows/verify-docgen.yaml b/.github/workflows/verify-docgen.yaml index f5f7fd63aac..4c346bf0082 100644 --- a/.github/workflows/verify-docgen.yaml +++ b/.github/workflows/verify-docgen.yaml @@ -21,6 +21,8 @@ on: branches: ['main', 'release-*'] pull_request: +permissions: read-all + jobs: docgen: name: Verify Docgen diff --git a/.github/workflows/whitespace.yaml b/.github/workflows/whitespace.yaml index 8c7ce8b5b2c..f06982c8b14 100644 --- a/.github/workflows/whitespace.yaml +++ b/.github/workflows/whitespace.yaml @@ -4,6 +4,8 @@ on: pull_request: branches: [ 'main', 'release-*' ] +permissions: read-all + jobs: whitespace: diff --git a/Makefile b/Makefile index 7349268f916..fb72cede094 100644 --- a/Makefile +++ b/Makefile @@ -99,6 +99,11 @@ ko: --tags $(GIT_VERSION) --tags $(GIT_HASH) \ github.com/sigstore/cosign/cmd/cosign/webhook + # sget + KO_DOCKER_REPO=${KO_PREFIX}/sget CGO_ENABLED=0 GOFLAGS="-ldflags=-X=$(PKG).gitCommit=$(GIT_HASH)" ko publish --bare \ + --tags $(GIT_VERSION) --tags $(GIT_HASH) \ + github.com/sigstore/cosign/cmd/sget + .PHONY: ko-local ko-local: # We can't pass more than one LDFLAG via GOFLAGS, you can't have spaces in there. @@ -114,6 +119,10 @@ sign-container: ko sign-cosigned: cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/cosigned:$(GIT_HASH) +.PHONY: sign-sget +sign-sget: + cosign sign --key .github/workflows/cosign.key -a GIT_HASH=$(GIT_HASH) ${KO_PREFIX}/sget:$(GIT_HASH) + # used when releasing together with GCP CloudBuild .PHONY: release release: