Skip to content

Commit cf8c848

Browse files
Merge pull request #17 from IntelPython/add-workflow-permissions
Add permissions and timeout for workflow
2 parents 2ba49e6 + b75f530 commit cf8c848

File tree

3 files changed

+97
-12
lines changed

3 files changed

+97
-12
lines changed

.github/dependabot.yml

Lines changed: 16 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,18 @@
11
version: 2
22
updates:
3-
- package-ecosystem: npm
4-
directory: "/"
5-
schedule:
6-
interval: daily
7-
time: '20:00'
8-
open-pull-requests-limit: 10
9-
- package-ecosystem: bundler
10-
directory: "/"
11-
schedule:
12-
interval: daily
13-
time: '20:00'
14-
open-pull-requests-limit: 10
3+
- package-ecosystem: npm
4+
directory: "/"
5+
schedule:
6+
interval: daily
7+
time: '20:00'
8+
open-pull-requests-limit: 10
9+
- package-ecosystem: bundler
10+
directory: "/"
11+
schedule:
12+
interval: daily
13+
time: '20:00'
14+
open-pull-requests-limit: 10
15+
- package-ecosystem: "github-actions"
16+
directory: "/"
17+
schedule:
18+
interval: "weekly"

.github/workflows/deploy-github-pages.yml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,22 @@ on:
77
- main # <-- specify the branch you want to deploy from
88
pull_request:
99

10+
permissions: read-all
11+
1012
env:
1113
REPO_NAME: ${{ github.event.repository.name }}
1214
REPO_OWNER: ${{ github.repository_owner }}
1315

1416
jobs:
1517
deploy:
1618
runs-on: ubuntu-22.04
19+
timeout-minutes: 60
20+
permissions:
21+
contents: write
22+
pull-requests: write
1723
concurrency:
1824
group: ${{ github.workflow }}-${{ github.ref }}
25+
1926
steps:
2027
- uses: actions/checkout@v4
2128
with:
Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,74 @@
1+
# This workflow uses actions that are not certified by GitHub. They are provided
2+
# by a third-party and are governed by separate terms of service, privacy
3+
# policy, and support documentation.
4+
5+
name: Scorecard supply-chain security
6+
on:
7+
# For Branch-Protection check. Only the default branch is supported. See
8+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
9+
branch_protection_rule:
10+
# To guarantee Maintained check is occasionally updated. See
11+
# https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
12+
schedule:
13+
- cron: '28 2 * * 1'
14+
- cron: '28 2 * * 4'
15+
push:
16+
branches: [ "master" ]
17+
18+
# Declare default permissions as read only.
19+
permissions: read-all
20+
21+
jobs:
22+
analysis:
23+
name: Scorecard analysis
24+
runs-on: ubuntu-latest
25+
timeout-minutes: 30
26+
permissions:
27+
# Needed to upload the results to code-scanning dashboard.
28+
security-events: write
29+
# Needed to publish results and get a badge (see publish_results below).
30+
id-token: write
31+
# Uncomment the permissions below if installing in a private repository.
32+
# contents: read
33+
# actions: read
34+
35+
steps:
36+
- name: "Checkout code"
37+
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
38+
with:
39+
persist-credentials: false
40+
41+
- name: "Run analysis"
42+
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
43+
with:
44+
results_file: results.sarif
45+
results_format: sarif
46+
# (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
47+
# - you want to enable the Branch-Protection check on a *public* repository, or
48+
# - you are installing Scorecard on a *private* repository
49+
# To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
50+
# repo_token: ${{ secrets.SCORECARD_TOKEN }}
51+
52+
# Public repositories:
53+
# - Publish results to OpenSSF REST API for easy access by consumers
54+
# - Allows the repository to include the Scorecard badge.
55+
# - See https://github.com/ossf/scorecard-action#publishing-results.
56+
# For private repositories:
57+
# - `publish_results` will always be set to `false`, regardless
58+
# of the value entered here.
59+
publish_results: true
60+
61+
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
62+
# format to the repository Actions tab.
63+
- name: "Upload artifact"
64+
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
65+
with:
66+
name: SARIF file
67+
path: results.sarif
68+
retention-days: 14
69+
70+
# Upload the results to GitHub's code scanning dashboard.
71+
- name: "Upload to code-scanning"
72+
uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
73+
with:
74+
sarif_file: results.sarif

0 commit comments

Comments
 (0)