From b77864ae2754cbb8fe69b04dd2e62a0481efd624 Mon Sep 17 00:00:00 2001 From: Gen Tamura Date: Thu, 13 Nov 2025 09:38:34 +0900 Subject: [PATCH 1/6] chore: import org security workflows --- .github/workflows/codeql.yml | 98 +++++++++++++++++++++++++ .github/workflows/dependency-review.yml | 53 +++++++++++++ .github/workflows/oss-scorecard.yml | 80 ++++++++++++++++++++ 3 files changed, 231 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/oss-scorecard.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..a8b265e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,98 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '29 12 * * 3' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: javascript-typescript + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..c298e12 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,53 @@ +name: Dependency Review + +on: + pull_request: + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Dependency Review + uses: actions/dependency-review-action@v4 + with: + license-check: true + + allow-licenses: | + MIT + BSD-2-Clause + BSD-3-Clause + Apache-2.0 + ISC + CC0-1.0 + Unlicense + + warn-licenses: | + LGPL-2.0 + LGPL-2.1 + LGPL-3.0 + MPL-2.0 + CDDL-1.0 + EPL-1.0 + EPL-2.0 + Artistic-2.0 + Public-Domain + + deny-licenses: | + GPL-1.0 + GPL-2.0 + GPL-3.0 + AGPL-1.0 + AGPL-3.0 + SSPL-1.0 + BUSL-1.1 + Elastic License 2.0 + Confluent Community License + Commons Clause + proprietary + unknown diff --git a/.github/workflows/oss-scorecard.yml b/.github/workflows/oss-scorecard.yml new file mode 100644 index 0000000..2737356 --- /dev/null +++ b/.github/workflows/oss-scorecard.yml @@ -0,0 +1,80 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '44 4 * * 4' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled. + if: > + (github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request') && + (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore + # file_mode: git + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard (optional). + # Commenting out will disable upload of results to your repo's Code Scanning dashboard + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif From a0c2a7e8e6c655ff72dbe07e86d0e0f77836a7e8 Mon Sep 17 00:00:00 2001 From: Gen Tamura Date: Thu, 13 Nov 2025 15:32:34 +0900 Subject: [PATCH 2/6] chore: pin checkout and codeql actions --- .github/workflows/codeql.yml | 2 +- .github/workflows/dependency-review.yml | 2 +- .github/workflows/oss-scorecard.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a8b265e..915cdc4 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -55,7 +55,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c298e12..bb49156 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -11,7 +11,7 @@ jobs: dependency-review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Dependency Review uses: actions/dependency-review-action@v4 diff --git a/.github/workflows/oss-scorecard.yml b/.github/workflows/oss-scorecard.yml index 2737356..2dcaeeb 100644 --- a/.github/workflows/oss-scorecard.yml +++ b/.github/workflows/oss-scorecard.yml @@ -75,6 +75,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard (optional). # Commenting out will disable upload of results to your repo's Code Scanning dashboard - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@530eb0ed8e1f00b4c982fe83c0126591f9f43df2 # v3.25.4 with: sarif_file: results.sarif From c0553d9ae82e5353d25cd461c5e848def8a725fa Mon Sep 17 00:00:00 2001 From: Gen Tamura Date: Thu, 13 Nov 2025 16:04:10 +0900 Subject: [PATCH 3/6] fix: pin dependency review inputs --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/dependency-review.yml | 25 +++---------------------- 2 files changed, 5 insertions(+), 24 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 915cdc4..ac9171b 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -65,7 +65,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@530eb0ed8e1f00b4c982fe83c0126591f9f43df2 # v3.25.4 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -93,6 +93,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@530eb0ed8e1f00b4c982fe83c0126591f9f43df2 # v3.25.4 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index bb49156..be86abe 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -14,30 +14,11 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: license-check: true - - allow-licenses: | - MIT - BSD-2-Clause - BSD-3-Clause - Apache-2.0 - ISC - CC0-1.0 - Unlicense - - warn-licenses: | - LGPL-2.0 - LGPL-2.1 - LGPL-3.0 - MPL-2.0 - CDDL-1.0 - EPL-1.0 - EPL-2.0 - Artistic-2.0 - Public-Domain - + # Upstream action forbids mixing allow-licenses with deny-licenses. + # Maintain a single deny-list so the workflow enforces these blocks. deny-licenses: | GPL-1.0 GPL-2.0 From 5c3411e249cc356e485fdc1c1a948a50bafc4de8 Mon Sep 17 00:00:00 2001 From: Gen Tamura Date: Thu, 13 Nov 2025 16:30:20 +0900 Subject: [PATCH 4/6] fix: update gha pins --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/dependency-review.yml | 18 +++--------------- 2 files changed, 5 insertions(+), 17 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index ac9171b..6d3d024 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -65,7 +65,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@530eb0ed8e1f00b4c982fe83c0126591f9f43df2 # v3.25.4 + uses: github/codeql-action/init@5d5cd55a4a8ce28b5c828a53ea50ccaa43d562e3 # v3.31.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -93,6 +93,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@530eb0ed8e1f00b4c982fe83c0126591f9f43df2 # v3.25.4 + uses: github/codeql-action/analyze@5d5cd55a4a8ce28b5c828a53ea50ccaa43d562e3 # v3.31.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index be86abe..e11b965 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,18 +17,6 @@ jobs: uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: license-check: true - # Upstream action forbids mixing allow-licenses with deny-licenses. - # Maintain a single deny-list so the workflow enforces these blocks. - deny-licenses: | - GPL-1.0 - GPL-2.0 - GPL-3.0 - AGPL-1.0 - AGPL-3.0 - SSPL-1.0 - BUSL-1.1 - Elastic License 2.0 - Confluent Community License - Commons Clause - proprietary - unknown + allow-licenses: MIT,BSD-2-Clause,BSD-3-Clause,Apache-2.0,ISC,CC0-1.0,Unlicense + warn-licenses: LGPL-2.0,LGPL-2.1,LGPL-3.0,MPL-2.0,CDDL-1.0,EPL-1.0,EPL-2.0,Artistic-2.0,Public-Domain + deny-licenses: GPL-1.0,GPL-2.0,GPL-3.0,AGPL-1.0,AGPL-3.0,SSPL-1.0,BUSL-1.1,"Elastic License 2.0","Confluent Community License","Commons Clause",proprietary,unknown From 3d53aed3faf1932419ac838d1cc4065ea58444d0 Mon Sep 17 00:00:00 2001 From: Gen Tamura Date: Thu, 13 Nov 2025 21:31:11 +0900 Subject: [PATCH 5/6] fix: point codeql and dependency-review to valid SHAs --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/dependency-review.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 6d3d024..f9f51da 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -65,7 +65,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@5d5cd55a4a8ce28b5c828a53ea50ccaa43d562e3 # v3.31.2 + uses: github/codeql-action/init@5d5cd550d3e189c569da8f16ea8de2d821c9bf7a # v3.31.2 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -93,6 +93,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5d5cd55a4a8ce28b5c828a53ea50ccaa43d562e3 # v3.31.2 + uses: github/codeql-action/analyze@5d5cd550d3e189c569da8f16ea8de2d821c9bf7a # v3.31.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index e11b965..4b7f4a5 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -18,5 +18,5 @@ jobs: with: license-check: true allow-licenses: MIT,BSD-2-Clause,BSD-3-Clause,Apache-2.0,ISC,CC0-1.0,Unlicense - warn-licenses: LGPL-2.0,LGPL-2.1,LGPL-3.0,MPL-2.0,CDDL-1.0,EPL-1.0,EPL-2.0,Artistic-2.0,Public-Domain - deny-licenses: GPL-1.0,GPL-2.0,GPL-3.0,AGPL-1.0,AGPL-3.0,SSPL-1.0,BUSL-1.1,"Elastic License 2.0","Confluent Community License","Commons Clause",proprietary,unknown + warn-licenses: LGPL-2.0-only,LGPL-2.1-only,LGPL-3.0-only,MPL-2.0,CDDL-1.0,EPL-1.0,EPL-2.0,Artistic-2.0,CC-PDDC + deny-licenses: GPL-1.0-only,GPL-2.0-only,GPL-3.0-only,AGPL-1.0-only,AGPL-3.0-only,SSPL-1.0,BUSL-1.1,Elastic-2.0,Confluent-Community,"Commons-Clause",PROPRIETARY,NOASSERTION From 93d3f7d5a6e59ed171526098aa64f461e085756a Mon Sep 17 00:00:00 2001 From: Gen Tamura Date: Thu, 13 Nov 2025 22:06:01 +0900 Subject: [PATCH 6/6] chore: rely solely on deny-licenses --- .github/workflows/dependency-review.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 4b7f4a5..6dc50ca 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -17,6 +17,4 @@ jobs: uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0 with: license-check: true - allow-licenses: MIT,BSD-2-Clause,BSD-3-Clause,Apache-2.0,ISC,CC0-1.0,Unlicense - warn-licenses: LGPL-2.0-only,LGPL-2.1-only,LGPL-3.0-only,MPL-2.0,CDDL-1.0,EPL-1.0,EPL-2.0,Artistic-2.0,CC-PDDC - deny-licenses: GPL-1.0-only,GPL-2.0-only,GPL-3.0-only,AGPL-1.0-only,AGPL-3.0-only,SSPL-1.0,BUSL-1.1,Elastic-2.0,Confluent-Community,"Commons-Clause",PROPRIETARY,NOASSERTION + deny-licenses: GPL-1.0-only,GPL-2.0-only,GPL-3.0-only,AGPL-1.0-only,AGPL-3.0-only,SSPL-1.0,BUSL-1.1,Elastic-2.0