From 32f8f870aae363fd70aa841cc67bc71b3f66970a Mon Sep 17 00:00:00 2001 From: Yonas Date: Tue, 26 Nov 2024 21:58:14 -0500 Subject: [PATCH] chore: Update badges in README. --- .github/workflows/changelog.yaml | 14 +++- .github/workflows/cross-build.yaml | 84 +++++++++++++++++++++-- .github/workflows/dependency-review.yml | 14 +++- .github/workflows/licenses.yaml | 50 ++++++++++++++ .github/workflows/lint.yaml | 53 +++++++------- .github/workflows/release-packaging.yaml | 14 +++- .github/workflows/scorecard.yaml | 18 ++++- .github/workflows/security.yaml | 21 +++++- .github/workflows/test-with-coverage.yaml | 14 +++- README.md | 13 ++-- 10 files changed, 247 insertions(+), 48 deletions(-) create mode 100644 .github/workflows/licenses.yaml diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml index 41318e7..47e0fb1 100644 --- a/.github/workflows/changelog.yaml +++ b/.github/workflows/changelog.yaml @@ -18,7 +18,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/cross-build.yaml b/.github/workflows/cross-build.yaml index fe320d7..b0c80af 100644 --- a/.github/workflows/cross-build.yaml +++ b/.github/workflows/cross-build.yaml @@ -32,7 +32,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout sources uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -57,7 +69,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout sources uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -101,7 +125,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout sources uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -135,7 +171,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout sources uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -165,7 +213,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout sources uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -189,7 +249,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: Checkout sources uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 21a469b..036b46d 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -19,7 +19,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: 'Checkout Repository' uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/licenses.yaml b/.github/workflows/licenses.yaml new file mode 100644 index 0000000..8dcdba2 --- /dev/null +++ b/.github/workflows/licenses.yaml @@ -0,0 +1,50 @@ +name: Licenses + +on: + workflow_call: + pull_request: + push: + branches: + - main + +env: + CARGO_TERM_COLOR: always + +jobs: + + deny-check: + name: License check + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # nightly + with: + toolchain: nightly + + - name: Run cargo-deny + uses: yonasBSD/toolkit@4e361819e59fa6d66e9901bad4f0cee6d3b38b57 # main + with: + run: | + cargo-deny check licenses bans + echo "::group::List of licenses" + cargo-license --authors --do-not-bundle + echo "::endgroup::" + echo ### Licenses > $GITHUB_STEP_SUMMARY + cargo-license --authors --do-not-bundle >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 3a96803..bccfbfa 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -22,7 +22,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6 @@ -51,7 +63,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: mozilla-actions/sccache-action@9e326ebed976843c9932b3aa0e021c6f50310eb4 # v0.0.6 @@ -66,28 +90,3 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} args: --all-features name: Clippy Output - - deny-check: - name: License check - runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 - with: - egress-policy: audit - - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # nightly - with: - toolchain: nightly - - - name: Run cargo-deny - uses: yonasBSD/toolkit@4e361819e59fa6d66e9901bad4f0cee6d3b38b57 # main - with: - run: | - cargo-deny check licenses bans - echo "::group::List of licenses" - cargo-license --authors --do-not-bundle - echo "::endgroup::" - echo ### Licenses > $GITHUB_STEP_SUMMARY - cargo-license --authors --do-not-bundle >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/release-packaging.yaml b/.github/workflows/release-packaging.yaml index 104ab6c..7548f09 100644 --- a/.github/workflows/release-packaging.yaml +++ b/.github/workflows/release-packaging.yaml @@ -18,7 +18,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # stable diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 286db83..7d854ea 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -1,4 +1,4 @@ -name: Scorecard supply-chain security +name: Scorecard Audit on: # For Branch-Protection check. Only the default branch is supported. See # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection @@ -15,7 +15,7 @@ permissions: read-all jobs: analysis: - name: Scorecard analysis + name: Supply Chain Analysis runs-on: ubuntu-latest permissions: # Needed to upload the results to code-scanning dashboard. @@ -27,7 +27,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - name: "Checkout code" uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 77dc50f..f63fcbd 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -1,4 +1,4 @@ -name: Security Scanner +name: Security Audit on: # Trigger analysis when pushing to your main branches, and when creating a pull request. @@ -10,7 +10,8 @@ on: types: [opened, synchronize, reopened] jobs: - analysis: + sonarqube: + name: SonarQube runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -25,6 +26,7 @@ jobs: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} secrets: + name: Secrets runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -39,6 +41,7 @@ jobs: run: task audit:secrets vulnerabilities: + name: Vulnerabilities runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -70,7 +73,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: dtolnay/rust-toolchain@315e265cd78dad1e1dcf3a5074f6d6c47029d5aa # stable diff --git a/.github/workflows/test-with-coverage.yaml b/.github/workflows/test-with-coverage.yaml index f19e4a8..49ac8de 100644 --- a/.github/workflows/test-with-coverage.yaml +++ b/.github/workflows/test-with-coverage.yaml @@ -29,7 +29,19 @@ jobs: - name: Harden Runner uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: - egress-policy: audit + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.deps.dev:443 + api.github.com:443 + api.osv.dev:443 + api.scorecard.dev:443 + fulcio.sigstore.dev:443 + github.com:443 + oss-fuzz-build-logs.storage.googleapis.com:443 + rekor.sigstore.dev:443 + tuf-repo-cdn.sigstore.dev:443 + www.bestpractices.dev:443 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 diff --git a/README.md b/README.md index d736ab1..c6323af 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,13 @@ # Rust CI with GitHub Actions -![Linting workflow](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/lint.yaml/badge.svg) -![testing workflow](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/test-with-coverage.yaml/badge.svg) -![packaging](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/release-packaging.yaml/badge.svg) -![cross-build](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/cross-build.yaml/badge.svg) - +![Licenses](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/licenses.yaml/badge.svg) +![Linting](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/lint.yaml/badge.svg) +![Testing](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/test-with-coverage.yaml/badge.svg) +![Packaging](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/release-packaging.yaml/badge.svg) +![Cross-Build](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/cross-build.yaml/badge.svg) + +![Security Audit](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/security.yaml/badge.svg) +![Scorecard Audit](https://github.com/yonasBSD/rust-ci-github-actions-workflow/actions/workflows/scorecard.yaml/badge.svg) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=yonasBSD_rust-ci-github-actions-workflow&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=yonasBSD_rust-ci-github-actions-workflow) [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=yonasBSD_rust-ci-github-actions-workflow&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=yonasBSD_rust-ci-github-actions-workflow) [![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=yonasBSD_rust-ci-github-actions-workflow&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=yonasBSD_rust-ci-github-actions-workflow)