Skip to content

ci: improve OpenSSF Scorecard security posture#230

Merged
rhuanbarreto merged 2 commits into
mainfrom
fix/scorecard-env
Apr 26, 2026
Merged

ci: improve OpenSSF Scorecard security posture#230
rhuanbarreto merged 2 commits into
mainfrom
fix/scorecard-env

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

Addresses multiple OpenSSF Scorecard findings to improve the project's security score (currently 6.6/10).

  • Scorecard workflow fixes — Remove global env block that caused workflow failure; scope token permissions to job-level; add CODEOWNERS
  • Pin all GitHub Actions by hash — Pin TrigenSoftware/simple-release-action@v1 by commit SHA in release.yml (3 occurrences). All actions across all workflows are now hash-pinned. Resolves PinnedDependenciesID alerts (8 → 10)
  • Signed release provenance — Add actions/attest-build-provenance@v4 to release-binaries.yml. Generates SLSA build provenance attestations for each platform binary and uploads .sigstore.json bundles as release assets. Addresses Signed-Releases check (0 → 8). Users can verify with gh attestation verify <artifact> --repo archgate/cli
  • Fuzz tests — Add property-based fuzz tests for the Zod schema parsing layer (parseAdr, parseFrontmatter, AdrFrontmatterSchema, DomainNameSchema, DomainPrefixSchema, ProjectConfigSchema) using hand-rolled generators (no new dependencies per ARCH-006)

Expected Scorecard Impact

Check Before After
Pinned-Dependencies 8/10 10/10
Signed-Releases 0/10 8/10
Token-Permissions 10/10 10/10 (maintained)

Test plan

  • bun run validate passes (lint, typecheck, format, 688 tests, 22/22 ADR rules, build)
  • All 20 new fuzz tests pass with 3,374+ assertions
  • After merge + next release: verify .sigstore.json files appear in GitHub Release assets
  • After merge: re-run Scorecard workflow and confirm score improvement
  • Verify attestation with gh attestation verify <artifact> --repo archgate/cli

- Pin TrigenSoftware/simple-release-action@v1 by commit hash in
  release.yml (resolves 3 Scorecard PinnedDependenciesID alerts)
- Add SLSA build provenance attestation via
  actions/attest-build-provenance@v4 in release-binaries.yml
- Upload .sigstore.json bundles as release assets alongside binaries
  (addresses Scorecard Signed-Releases check, 0 → 8)
- Add fuzz tests for ADR and project-config schema parsing layers
  (parseFrontmatter, parseAdr, AdrFrontmatterSchema, DomainNameSchema,
  DomainPrefixSchema, ProjectConfigSchema)
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Apr 26, 2026

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: f336052
Status: ✅  Deploy successful!
Preview URL: https://e1cf1e66.archgate-cli.pages.dev
Branch Preview URL: https://fix-scorecard-env.archgate-cli.pages.dev

View logs

Adds a workflow_dispatch workflow that iterates over all existing
releases, downloads each binary artifact, signs it with cosign
(keyless OIDC via Sigstore), and uploads the .sigstore.json bundle
as a release asset. Skips artifacts that already have a signature.

This backfills the Scorecard Signed-Releases check for releases
published before the attestation step was added to release-binaries.yml.

Run once after merge, safe to re-run (idempotent).
@rhuanbarreto rhuanbarreto merged commit 67b89da into main Apr 26, 2026
9 checks passed
@rhuanbarreto rhuanbarreto deleted the fix/scorecard-env branch April 26, 2026 17:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant