Skip to content

feat: add scorecard and branch-target-check workflows#69

Merged
Sandy-at-Tazama merged 1 commit intodevfrom
feat/add-scorecard-workflow
Apr 5, 2026
Merged

feat: add scorecard and branch-target-check workflows#69
Sandy-at-Tazama merged 1 commit intodevfrom
feat/add-scorecard-workflow

Conversation

@Justus-at-Tazama
Copy link
Copy Markdown
Contributor

@Justus-at-Tazama Justus-at-Tazama commented Apr 4, 2026

Summary

Mirror of tazama-lf/workflows#33.

Changes

scorecard.yml — OSSF Scorecard supply-chain security workflow

  • Triggers: push to [main, dev], weekly schedule, branch_protection_rule
  • publish_results=true only on main / schedule / branch-protection events — dev-branch runs score without overwriting the badge
  • Pinned commit SHAs: actions/checkout@v6.0.2, ossf/scorecard-action@v2.4.3, actions/upload-artifact@v7.0.0, github/codeql-action/upload-sarif@v4.34.1
  • No PUBLISH_REPOS exclusion needed — all repos in frmscoe are service/rule repos

branch-target-check.yml — PR base-branch enforcement

  • Fails immediately with an actionable error if a PR targets main from any branch other than dev or release/v<N>.*
  • Rejects bare release/v (no version number) via release/v[0-9]* glob
  • Provides gh pr edit --base dev hint in the error message
  • github.head_ref passed via env: to prevent expression injection

@Justus-at-Tazama
feat: add scorecard and branch-target-check workflows
ddbd9a4 
- Add canonical scorecard.yml (OSSF Scorecard supply-chain security):
  - Triggers: push/[main,dev], schedule (weekly), branch_protection_rule
  - publish_results=true only on main/schedule/branch_protection_rule
  - Pinned to latest SHAs: checkout v6.0.2, scorecard-action v2.4.3,
    upload-artifact v7.0.0, codeql-action/upload-sarif v4.34.1
  - All rule repos receive this file (no exclusions needed in frmscoe)
- Add branch-target-check.yml:
  - Enforces dev->main and release/v<N>.*->main PR targets
  - Rejects bare release/v (no version number) via release/v[0-9]* glob
  - Fails with actionable message and \gh pr edit --base dev\ hint
  - Copies to all repos (no exclusion needed)
  - Fixed github.head_ref injection risk (passed via env var)

Mirror of tazama-lf/workflows#33
@github-actions github-actions Bot added the enhancement New feature or request label Apr 4, 2026
@Sandy-at-Tazama Sandy-at-Tazama self-requested a review April 5, 2026 07:01
@Sandy-at-Tazama Sandy-at-Tazama merged commit 79c335c into dev Apr 5, 2026
2 checks passed
@Sandy-at-Tazama Sandy-at-Tazama deleted the feat/add-scorecard-workflow branch April 5, 2026 07:02
Justus-at-Tazama added a commit that referenced this pull request Apr 8, 2026
@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows
596bf48 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
Justus-at-Tazama added a commit that referenced this pull request Apr 8, 2026
@Justus-at-Tazama
fix(workflows): sync workflow audit fixes from tazama-lf/workflows (#78)
a02fd0f 
Applies all changes from tazama-lf/workflows PR #76 (workflow audit fixes - batch 1)
to frmscoe/workflows. Changes are synced verbatim from the canonical source.

- fix(njsscan): fix SARIF upload guard, category, upgrade upload-sarif v4 (#68)
- fix(gpg-verify): make curl error handler reachable under bash -e (#69)
- fix(dco-check, gpg-verify): replace mutable branch refs with immutable SHAs (#70)
- fix(package-rule): add ref guard to prevent push from non-canonical branches (#71)
- fix(gpg-verify): rename workflow to Signature Verify, update header comment (#72)
- fix(package-rule): pass GH_TOKEN to docker build via BuildKit secret (#73)
- fix(sbom): pass GH_TOKEN to docker build via BuildKit secret (#74)
- fix(dockerfile-linter): skip hadolint and upload when no Dockerfile present (#75)
- fix(dockerfile-linter, sbom): address CodeRabbit review findings

Signed-off-by: Justus-at-Tazama <jortlepp@contractor.linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sandy-at-Tazama Sandy-at-Tazama Sandy-at-Tazama approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Justus-at-Tazama @Sandy-at-Tazama